xu-qemu0 host: setup iptables
This commit is contained in:
parent
f7d6e20431
commit
7f1abe50ce
@ -15,17 +15,23 @@ in
|
|||||||
#
|
#
|
||||||
# make [install] system=xu-qemu0 target_host=10.56.0.101
|
# make [install] system=xu-qemu0 target_host=10.56.0.101
|
||||||
|
|
||||||
# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
|
|
||||||
# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT
|
|
||||||
# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
|
|
||||||
|
|
||||||
with config.krebs.lib;
|
with config.krebs.lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
|
networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
|
||||||
|
|
||||||
|
tv.iptables.extra = {
|
||||||
|
nat.POSTROUTING = ["-j MASQUERADE"];
|
||||||
|
filter.FORWARD = [
|
||||||
|
"-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
||||||
|
"-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
|
||||||
|
];
|
||||||
|
filter.INPUT = [
|
||||||
|
"-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
|
||||||
|
"-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
systemd.network.enable = true;
|
systemd.network.enable = true;
|
||||||
systemd.services.systemd-networkd-wait-online.enable = false;
|
systemd.services.systemd-networkd-wait-online.enable = false;
|
||||||
|
|
||||||
|
@ -26,6 +26,21 @@ let
|
|||||||
type = with types; listOf (either int str);
|
type = with types; listOf (either int str);
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
extra = {
|
||||||
|
nat.POSTROUTING = mkOption {
|
||||||
|
type = with types; listOf str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
filter.FORWARD = mkOption {
|
||||||
|
type = with types; listOf str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
filter.INPUT = mkOption {
|
||||||
|
type = with types; listOf str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
@ -57,6 +72,11 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
formatTable = table:
|
||||||
|
(concatStringsSep "\n"
|
||||||
|
(mapAttrsToList
|
||||||
|
(chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
|
||||||
|
table));
|
||||||
|
|
||||||
rules = iptables-version: let
|
rules = iptables-version: let
|
||||||
accept-echo-request = {
|
accept-echo-request = {
|
||||||
@ -79,6 +99,7 @@ let
|
|||||||
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
|
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
|
||||||
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
|
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
|
||||||
]}
|
]}
|
||||||
|
${formatTable cfg.extra.nat}
|
||||||
COMMIT
|
COMMIT
|
||||||
*filter
|
*filter
|
||||||
:INPUT DROP [0:0]
|
:INPUT DROP [0:0]
|
||||||
@ -94,6 +115,7 @@ let
|
|||||||
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
|
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
|
||||||
++ ["-i retiolum -j Retiolum"]
|
++ ["-i retiolum -j Retiolum"]
|
||||||
)}
|
)}
|
||||||
|
${formatTable cfg.extra.filter}
|
||||||
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
|
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
|
||||||
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
|
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
|
||||||
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
|
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
|
||||||
|
Loading…
Reference in New Issue
Block a user