stockholm/tv/3modules/iptables.nix

185 lines
5.2 KiB
Nix
Raw Normal View History

2015-07-11 16:55:22 +02:00
{ config, lib, pkgs, ... }:
2016-10-20 20:54:38 +02:00
with import <stockholm/lib>;
2017-01-05 21:03:23 +01:00
let {
2015-07-11 16:55:22 +02:00
cfg = config.tv.iptables;
2017-01-05 21:03:23 +01:00
body = {
2015-07-11 16:55:22 +02:00
options.tv.iptables = api;
2016-02-14 16:43:44 +01:00
config = lib.mkIf cfg.enable imp;
2015-07-11 16:55:22 +02:00
};
2019-02-10 14:22:54 +01:00
extraTypes = {
rules = types.submodule {
options = {
nat.OUTPUT = mkOption {
type = with types; listOf str;
default = [];
};
nat.PREROUTING = mkOption {
type = with types; listOf str;
default = [];
};
nat.POSTROUTING = mkOption {
type = with types; listOf str;
default = [];
};
filter.FORWARD = mkOption {
type = with types; listOf str;
default = [];
};
filter.INPUT = mkOption {
type = with types; listOf str;
default = [];
};
2019-02-10 14:36:31 +01:00
filter.Retiolum = mkOption {
type = with types; listOf str;
default = [];
};
2019-02-10 14:22:54 +01:00
};
};
};
2015-07-11 16:55:22 +02:00
api = {
2015-07-13 17:36:31 +02:00
enable = mkEnableOption "tv.iptables";
2015-07-11 16:55:22 +02:00
2016-02-07 03:09:14 +01:00
accept-echo-request = mkOption {
type = with types; nullOr (enum ["internet" "retiolum"]);
default = "retiolum";
};
2016-06-30 00:52:35 +02:00
input-internet-accept-tcp = mkOption {
2015-07-19 16:12:21 +02:00
type = with types; listOf (either int str);
2015-07-11 16:55:22 +02:00
default = [];
};
2016-06-30 00:52:35 +02:00
input-internet-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-retiolum-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
input-retiolum-accept-udp = mkOption {
2015-07-19 16:12:21 +02:00
type = with types; listOf (either int str);
2015-07-11 16:55:22 +02:00
default = [];
};
2016-02-18 00:50:10 +01:00
2019-02-10 14:22:54 +01:00
extra = mkOption {
default = {};
type = extraTypes.rules;
};
extra4 = mkOption {
default = {};
type = extraTypes.rules;
};
extra6 = mkOption {
default = {};
type = extraTypes.rules;
2016-02-18 00:50:10 +01:00
};
2015-07-11 16:55:22 +02:00
};
imp = {
networking.firewall.enable = false;
systemd.services.tv-iptables = {
wantedBy = [ "sysinit.target" ];
wants = [ "network-pre.target" ];
2015-07-11 16:55:22 +02:00
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = with pkgs; [
iptables
];
2015-07-27 02:02:34 +02:00
2015-07-11 16:55:22 +02:00
restartIfChanged = true;
2015-07-27 02:02:34 +02:00
2015-07-11 16:55:22 +02:00
serviceConfig = {
Type = "simple";
RemainAfterExit = true;
Restart = "always";
SyslogIdentifier = "tv-iptables_start";
ExecStart = pkgs.writeDash "tv-iptables_start" ''
set -euf
iptables-restore < ${rules 4}
ip6tables-restore < ${rules 6}
'';
2015-07-11 16:55:22 +02:00
};
unitConfig.DefaultDependencies = false;
2015-07-11 16:55:22 +02:00
};
};
2016-02-18 00:50:10 +01:00
formatTable = table:
(concatStringsSep "\n"
(mapAttrsToList
(chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
table));
2015-07-11 16:55:22 +02:00
2016-02-07 03:09:14 +01:00
rules = iptables-version: let
accept-echo-request = {
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
}."ip${toString iptables-version}tables";
2016-06-30 00:52:35 +02:00
accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
2016-02-07 03:09:14 +01:00
in
2015-07-11 16:55:22 +02:00
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [
"! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
"-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
2016-02-18 00:50:10 +01:00
${formatTable cfg.extra.nat}
2019-02-10 14:22:54 +01:00
${formatTable cfg."extra${toString iptables-version}".nat}
2015-07-11 16:55:22 +02:00
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Retiolum - [0:0]
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
++ [
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"-i lo -j ACCEPT"
]
2016-02-07 03:09:14 +01:00
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
2016-06-30 00:52:35 +02:00
++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
2015-07-11 16:55:22 +02:00
++ ["-i retiolum -j Retiolum"]
)}
2016-02-18 00:50:10 +01:00
${formatTable cfg.extra.filter}
2019-02-10 14:22:54 +01:00
${formatTable cfg."extra${toString iptables-version}".filter}
2015-07-11 16:55:22 +02:00
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
2016-02-07 03:09:14 +01:00
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
2016-06-30 00:52:35 +02:00
++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
2015-07-11 16:55:22 +02:00
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp-port-unreachable"
"-j REJECT --reject-with icmp-proto-unreachable"
];
ip6tables = [
"-p tcp -j REJECT --reject-with tcp-reset"
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
"-j REJECT"
];
}."ip${toString iptables-version}tables"
)}
COMMIT
'';
2017-01-05 21:03:23 +01:00
}