ponte: modify internet-facing SSH port

2022-12-09 18:07:20 +01:00 · 2022-12-09 18:07:20 +01:00 · b17cd6133b
commit b17cd6133b
parent ea30ea8661
1 changed files with 15 additions and 0 deletions
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@ -11,6 +11,21 @@
  networking.firewall.logRefusedConnections = false;
  networking.firewall.logRefusedUnicastsOnly = false;

+  # Move Internet-facing SSH port to reduce logspam.
+  networking.firewall.extraCommands = let
+    host = config.krebs.build.host;
+  in /* sh */ ''
+    iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT
+    iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+
+    ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT
+    ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+  '';
+
  krebs.build.host = config.krebs.hosts.ponte;

  krebs.pages.enable = true;