From d629bee9546fa6ed6a018f2b6d491a851ad12738 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Mon, 13 Jul 2015 13:39:49 +0200
Subject: "rebase"

---
 old/modules/lass/base.nix | 61 +++++++++++++++++++++++++++++++----------------
 1 file changed, 40 insertions(+), 21 deletions(-)

(limited to 'old/modules/lass/base.nix')

diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix
index 3a8d879eb..159372a24 100644
--- a/old/modules/lass/base.nix
+++ b/old/modules/lass/base.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./sshkeys.nix
+    ./iptables
   ];
 
   nix.useChroot = true;
@@ -65,6 +66,10 @@
     '';
   };
 
+  security.setuidPrograms = [
+    "sendmail"
+  ];
+
   services.gitolite = {
     enable = true;
     dataDir = "/home/gitolite";
@@ -84,27 +89,41 @@
     RuntimeMaxUse=128M
   '';
 
-  networking.firewall = {
+  lass.iptables = {
     enable = true;
-
-    allowedTCPPorts = [
-      22
-    ];
-
-    extraCommands = ''
-      iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
-      iptables -A INPUT -j ACCEPT -i lo
-      iptables -A INPUT -j ACCEPT -p icmp
-
-      #iptables -N Retiolum
-      iptables -A INPUT -j Retiolum -i retiolum
-      iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
-      iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
-      iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
-      iptables -A Retiolum -j REJECT        --reject-with icmp-proto-unreachable
-      iptables -A Retiolum -j REJECT
-    '';
-
-    extraStopCommands = "iptables -F";
+    tables = {
+      filter.INPUT.policy = "DROP";
+      filter.FORWARD.policy = "DROP";
+      filter.INPUT.rules = [
+        { predicate = "-i lo"; target = "ACCEPT"; }
+        { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+        { predicate = "-p icmp"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
+      ];
+    };
   };
+
+  #Networking.firewall = {
+  #  enable = true;
+
+  #  allowedTCPPorts = [
+  #    22
+  #  ];
+
+  #  extraCommands = ''
+  #    iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+  #    iptables -A INPUT -j ACCEPT -i lo
+  #    #http://serverfault.com/questions/84963/why-not-block-icmp
+  #    iptables -A INPUT -j ACCEPT -p icmp
+
+  #    #TODO: fix Retiolum firewall
+  #    #iptables -N RETIOLUM
+  #    #iptables -A INPUT -j RETIOLUM -i retiolum
+  #    #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+  #    #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset
+  #    #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable
+  #    #iptables -A RETIOLUM -j REJECT        --reject-with icmp-proto-unreachable
+  #    #iptables -A RETIOLUM -j REJECT
+  #  '';
+  #};
 }
-- 
cgit v1.2.3