diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-03-30 23:28:29 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-04-06 12:46:29 -0600 |
| commit | 8898f7399fe3715881cbc84e19a4ca0bbbf10839 (patch) | |
| tree | 1328c5359db6d5ceef9fd098e6d594452a7495ef | |
| parent | 903e9d67ee6018380732df1e593ce85f7b36762c (diff) | |
sys/net: create custom iptables chains for local rules
Diffstat (limited to '')
| -rw-r--r-- | sys/net/interfaces.nix | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix index 9b9286d..5bea211 100644 --- a/sys/net/interfaces.nix +++ b/sys/net/interfaces.nix @@ -17,6 +17,13 @@ in }; config = mkIf cfg.enable { + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }; + environment.systemPackages = with pkgs; [ conntrack-tools dhcpcd @@ -30,7 +37,45 @@ in domain = mkDefault config.local.domains.host.main; hostName = cfg.hostname; - firewall.logRefusedConnections = false; + firewall = { + extraCommands = mkBefore '' + ip46tables -t filter -P INPUT DROP + ip46tables -t filter -P FORWARD ACCEPT #TODO: DROP + + ip46tables -t filter -N local-input + ip46tables -t filter -N local-forward + ip46tables -t nat -N local-prerouting + ip46tables -t nat -N local-postrouting + + ip46tables -t filter -I INPUT -j local-input + ip46tables -t filter -I FORWARD -j local-forward + ip46tables -t nat -I PREROUTING -j local-prerouting + ip46tables -t nat -I POSTROUTING -j local-postrouting + + ip46tables -t filter -A local-forward -m conntrack --ctstate RELATED,ESTABLISHED,SNAT,DNAT -j ACCEPT + ''; + + extraStopCommands = mkAfter '' + ip46tables -t filter -D INPUT -j local-input || true + ip46tables -t filter -D FORWARD -j local-forward || true + ip46tables -t nat -D PREROUTING -j local-prerouting || true + ip46tables -t nat -D POSTROUTING -j local-postrouting || true + + ip46tables -t filter -F local-input || true + ip46tables -t filter -X local-input || true + ip46tables -t filter -F local-forward || true + ip46tables -t filter -X local-forward || true + ip46tables -t nat -F local-prerouting || true + ip46tables -t nat -X local-prerouting || true + ip46tables -t nat -F local-postrouting || true + ip46tables -t nat -X local-postrouting || true + + ip46tables -t filter -P INPUT ACCEPT + ip46tables -t filter -P FORWARD ACCEPT + ''; + + logRefusedConnections = false; + }; useDHCP = false; enableIPv6 = mkDefault true; |