2015-07-11 16:55:22 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
2016-02-14 16:43:44 +01:00
|
|
|
with config.krebs.lib;
|
2015-07-11 16:55:22 +02:00
|
|
|
let
|
|
|
|
cfg = config.tv.iptables;
|
|
|
|
|
|
|
|
out = {
|
|
|
|
options.tv.iptables = api;
|
2016-02-14 16:43:44 +01:00
|
|
|
config = lib.mkIf cfg.enable imp;
|
2015-07-11 16:55:22 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
api = {
|
2015-07-13 17:36:31 +02:00
|
|
|
enable = mkEnableOption "tv.iptables";
|
2015-07-11 16:55:22 +02:00
|
|
|
|
2016-02-07 03:09:14 +01:00
|
|
|
accept-echo-request = mkOption {
|
|
|
|
type = with types; nullOr (enum ["internet" "retiolum"]);
|
|
|
|
default = "retiolum";
|
|
|
|
};
|
|
|
|
|
2015-07-11 16:55:22 +02:00
|
|
|
input-internet-accept-new-tcp = mkOption {
|
2015-07-19 16:12:21 +02:00
|
|
|
type = with types; listOf (either int str);
|
2015-07-11 16:55:22 +02:00
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
|
|
|
|
input-retiolum-accept-new-tcp = mkOption {
|
2015-07-19 16:12:21 +02:00
|
|
|
type = with types; listOf (either int str);
|
2015-07-11 16:55:22 +02:00
|
|
|
default = [];
|
|
|
|
};
|
2016-02-18 00:50:10 +01:00
|
|
|
|
|
|
|
extra = {
|
|
|
|
nat.POSTROUTING = mkOption {
|
|
|
|
type = with types; listOf str;
|
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
filter.FORWARD = mkOption {
|
|
|
|
type = with types; listOf str;
|
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
filter.INPUT = mkOption {
|
|
|
|
type = with types; listOf str;
|
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
};
|
2015-07-11 16:55:22 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
imp = {
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
|
|
|
|
systemd.services.tv-iptables = {
|
|
|
|
description = "tv-iptables";
|
|
|
|
wantedBy = [ "network-pre.target" ];
|
|
|
|
before = [ "network-pre.target" ];
|
|
|
|
after = [ "systemd-modules-load.service" ];
|
|
|
|
|
|
|
|
path = with pkgs; [
|
|
|
|
iptables
|
|
|
|
];
|
2015-07-27 02:02:34 +02:00
|
|
|
|
2015-07-11 16:55:22 +02:00
|
|
|
restartIfChanged = true;
|
2015-07-27 02:02:34 +02:00
|
|
|
|
2015-07-11 16:55:22 +02:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "simple";
|
|
|
|
RemainAfterExit = true;
|
|
|
|
Restart = "always";
|
2016-02-08 03:40:41 +01:00
|
|
|
SyslogIdentifier = "tv-iptables_start";
|
|
|
|
ExecStart = pkgs.writeDash "tv-iptables_start" ''
|
|
|
|
set -euf
|
|
|
|
iptables-restore < ${rules 4}
|
|
|
|
ip6tables-restore < ${rules 6}
|
|
|
|
'';
|
2015-07-11 16:55:22 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2016-02-18 00:50:10 +01:00
|
|
|
formatTable = table:
|
|
|
|
(concatStringsSep "\n"
|
|
|
|
(mapAttrsToList
|
|
|
|
(chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
|
|
|
|
table));
|
2015-07-11 16:55:22 +02:00
|
|
|
|
2016-02-07 03:09:14 +01:00
|
|
|
rules = iptables-version: let
|
|
|
|
accept-echo-request = {
|
|
|
|
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
|
|
|
|
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
|
|
|
|
}."ip${toString iptables-version}tables";
|
|
|
|
accept-new-tcp = port:
|
|
|
|
"-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
|
|
|
|
in
|
2015-07-11 16:55:22 +02:00
|
|
|
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
|
|
|
|
*nat
|
|
|
|
:PREROUTING ACCEPT [0:0]
|
|
|
|
:INPUT ACCEPT [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
:POSTROUTING ACCEPT [0:0]
|
2016-02-08 02:19:38 +01:00
|
|
|
${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [
|
|
|
|
"! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
|
|
|
|
"-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
|
|
|
|
]}
|
|
|
|
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
|
|
|
|
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
|
|
|
|
]}
|
2016-02-18 00:50:10 +01:00
|
|
|
${formatTable cfg.extra.nat}
|
2015-07-11 16:55:22 +02:00
|
|
|
COMMIT
|
|
|
|
*filter
|
|
|
|
:INPUT DROP [0:0]
|
|
|
|
:FORWARD DROP [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
:Retiolum - [0:0]
|
|
|
|
${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
|
|
|
|
++ [
|
|
|
|
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
|
|
|
|
"-i lo -j ACCEPT"
|
|
|
|
]
|
2016-02-07 03:09:14 +01:00
|
|
|
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
|
2015-07-19 16:12:21 +02:00
|
|
|
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
|
2015-07-11 16:55:22 +02:00
|
|
|
++ ["-i retiolum -j Retiolum"]
|
|
|
|
)}
|
2016-02-18 00:50:10 +01:00
|
|
|
${formatTable cfg.extra.filter}
|
2015-07-11 16:55:22 +02:00
|
|
|
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
|
2016-02-07 03:09:14 +01:00
|
|
|
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
|
2015-07-19 16:12:21 +02:00
|
|
|
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
|
2015-07-11 16:55:22 +02:00
|
|
|
++ {
|
|
|
|
ip4tables = [
|
|
|
|
"-p tcp -j REJECT --reject-with tcp-reset"
|
|
|
|
"-p udp -j REJECT --reject-with icmp-port-unreachable"
|
|
|
|
"-j REJECT --reject-with icmp-proto-unreachable"
|
|
|
|
];
|
|
|
|
ip6tables = [
|
|
|
|
"-p tcp -j REJECT --reject-with tcp-reset"
|
|
|
|
"-p udp -j REJECT --reject-with icmp6-port-unreachable"
|
|
|
|
"-j REJECT"
|
|
|
|
];
|
|
|
|
}."ip${toString iptables-version}tables"
|
|
|
|
)}
|
|
|
|
COMMIT
|
|
|
|
'';
|
2016-02-08 03:40:41 +01:00
|
|
|
in out
|
2015-07-11 16:55:22 +02:00
|
|
|
|
|
|
|
#let
|
|
|
|
# cfg = config.tv.iptables;
|
|
|
|
# arg' = arg // { inherit cfg; };
|
|
|
|
#in
|
|
|
|
#
|
|
|
|
#{
|
|
|
|
# options.tv.iptables = import ./options.nix arg';
|
|
|
|
# config = lib.mkIf cfg.enable (import ./config.nix arg');
|
|
|
|
#}
|