tv iptables: add input-*-accept-udp
This commit is contained in:
parent
20a9f59061
commit
716a2fc6e8
@ -18,7 +18,7 @@ with config.krebs.lib;
|
||||
enable = true;
|
||||
ssl_cert = ../Zcerts/charybdis_cd.crt.pem;
|
||||
};
|
||||
tv.iptables.input-retiolum-accept-new-tcp = [
|
||||
tv.iptables.input-retiolum-accept-tcp = [
|
||||
config.tv.charybdis.port
|
||||
config.tv.charybdis.sslport
|
||||
];
|
||||
@ -28,14 +28,14 @@ with config.krebs.lib;
|
||||
enable = true;
|
||||
hosts = [ "jabber.viljetic.de" ];
|
||||
};
|
||||
tv.iptables.input-internet-accept-new-tcp = [
|
||||
tv.iptables.input-internet-accept-tcp = [
|
||||
"xmpp-client"
|
||||
"xmpp-server"
|
||||
];
|
||||
}
|
||||
{
|
||||
krebs.github-hosts-sync.enable = true;
|
||||
tv.iptables.input-internet-accept-new-tcp =
|
||||
tv.iptables.input-internet-accept-tcp =
|
||||
singleton config.krebs.github-hosts-sync.port;
|
||||
}
|
||||
{
|
||||
@ -57,7 +57,7 @@ with config.krebs.lib;
|
||||
root ${pkgs.viljetic-pages};
|
||||
'');
|
||||
};
|
||||
tv.iptables.input-internet-accept-new-tcp = singleton "http";
|
||||
tv.iptables.input-internet-accept-tcp = singleton "http";
|
||||
}
|
||||
];
|
||||
|
||||
|
@ -22,12 +22,12 @@ in
|
||||
{
|
||||
tv.iptables = {
|
||||
enable = true;
|
||||
input-internet-accept-new-tcp = [
|
||||
input-internet-accept-tcp = [
|
||||
"ssh"
|
||||
"tinc"
|
||||
"smtp"
|
||||
];
|
||||
input-retiolum-accept-new-tcp = [
|
||||
input-retiolum-accept-tcp = [
|
||||
"http"
|
||||
];
|
||||
};
|
||||
|
@ -22,12 +22,12 @@ in
|
||||
{
|
||||
tv.iptables = {
|
||||
enable = true;
|
||||
input-internet-accept-new-tcp = [
|
||||
input-internet-accept-tcp = [
|
||||
"ssh"
|
||||
"tinc"
|
||||
"smtp"
|
||||
];
|
||||
input-retiolum-accept-new-tcp = [
|
||||
input-retiolum-accept-tcp = [
|
||||
"http"
|
||||
];
|
||||
};
|
||||
|
@ -174,7 +174,7 @@ with config.krebs.lib;
|
||||
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
||||
];
|
||||
};
|
||||
tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
|
||||
tv.iptables.input-internet-accept-tcp = singleton "ssh";
|
||||
}
|
||||
|
||||
{
|
||||
|
@ -4,5 +4,5 @@ with config.krebs.lib;
|
||||
|
||||
{
|
||||
krebs.exim-retiolum.enable = true;
|
||||
tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
|
||||
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
|
||||
}
|
||||
|
@ -43,5 +43,5 @@ with config.krebs.lib;
|
||||
{ from = "mirko"; to = "mv"; }
|
||||
];
|
||||
};
|
||||
tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
|
||||
tv.iptables.input-internet-accept-tcp = singleton "smtp";
|
||||
}
|
||||
|
@ -12,6 +12,6 @@ with config.krebs.lib;
|
||||
];
|
||||
};
|
||||
tv.iptables = optionalAttrs config.krebs.nginx.enable {
|
||||
input-retiolum-accept-new-tcp = singleton "http";
|
||||
input-retiolum-accept-tcp = singleton "http";
|
||||
};
|
||||
}
|
||||
|
@ -11,5 +11,5 @@ with config.krebs.lib;
|
||||
'')
|
||||
];
|
||||
};
|
||||
tv.iptables.input-internet-accept-new-tcp = singleton "http";
|
||||
tv.iptables.input-internet-accept-tcp = singleton "http";
|
||||
}
|
||||
|
@ -13,5 +13,5 @@ with config.krebs.lib;
|
||||
"ire"
|
||||
];
|
||||
};
|
||||
tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
|
||||
tv.iptables.input-internet-accept-tcp = singleton "tinc";
|
||||
}
|
||||
|
@ -17,12 +17,22 @@ let
|
||||
default = "retiolum";
|
||||
};
|
||||
|
||||
input-internet-accept-new-tcp = mkOption {
|
||||
input-internet-accept-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-retiolum-accept-new-tcp = mkOption {
|
||||
input-internet-accept-udp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-retiolum-accept-tcp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
|
||||
input-retiolum-accept-udp = mkOption {
|
||||
type = with types; listOf (either int str);
|
||||
default = [];
|
||||
};
|
||||
@ -83,8 +93,8 @@ let
|
||||
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
|
||||
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
|
||||
}."ip${toString iptables-version}tables";
|
||||
accept-new-tcp = port:
|
||||
"-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
|
||||
accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
|
||||
accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
|
||||
in
|
||||
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
|
||||
*nat
|
||||
@ -112,13 +122,15 @@ let
|
||||
"-i lo -j ACCEPT"
|
||||
]
|
||||
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
|
||||
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
|
||||
++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
|
||||
++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
|
||||
++ ["-i retiolum -j Retiolum"]
|
||||
)}
|
||||
${formatTable cfg.extra.filter}
|
||||
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
|
||||
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
|
||||
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
|
||||
++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
|
||||
++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
|
||||
++ {
|
||||
ip4tables = [
|
||||
"-p tcp -j REJECT --reject-with tcp-reset"
|
||||
|
Loading…
Reference in New Issue
Block a user