blob: 4924db4f36d3528c159f95e8d52fd505d9dd9716 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
{ config, lib, pkgs, ... }:
with builtins;
with lib;
let
cfg = config.tv.iptables;
out = {
options.tv.iptables = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.iptables";
accept-echo-request = mkOption {
type = with types; nullOr (enum ["internet" "retiolum"]);
default = "retiolum";
};
input-internet-accept-new-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-retiolum-accept-new-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
};
imp = {
networking.firewall.enable = false;
systemd.services.tv-iptables = {
description = "tv-iptables";
wantedBy = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = with pkgs; [
iptables
];
restartIfChanged = true;
serviceConfig = {
Type = "simple";
RemainAfterExit = true;
Restart = "always";
SyslogIdentifier = "tv-iptables_start";
ExecStart = pkgs.writeDash "tv-iptables_start" ''
set -euf
iptables-restore < ${rules 4}
ip6tables-restore < ${rules 6}
'';
};
};
};
rules = iptables-version: let
accept-echo-request = {
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
}."ip${toString iptables-version}tables";
accept-new-tcp = port:
"-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
in
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [
"! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
"-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Retiolum - [0:0]
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
++ [
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"-i lo -j ACCEPT"
]
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
++ ["-i retiolum -j Retiolum"]
)}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp-port-unreachable"
"-j REJECT --reject-with icmp-proto-unreachable"
];
ip6tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
"-j REJECT"
];
}."ip${toString iptables-version}tables"
)}
COMMIT
'';
in out
#let
# cfg = config.tv.iptables;
# arg' = arg // { inherit cfg; };
#in
#
#{
# options.tv.iptables = import ./options.nix arg';
# config = lib.mkIf cfg.enable (import ./config.nix arg');
#}
|