From b5ec581bc8404ff993910e4ba28df564b0e15c02 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 19 Jan 2022 13:30:18 +0100 Subject: [PATCH] Drastically simplify firewall config --- configuration.nix | 40 ++++++---------------------------------- 1 file changed, 6 insertions(+), 34 deletions(-) diff --git a/configuration.nix b/configuration.nix index c493496..ca403ec 100644 --- a/configuration.nix +++ b/configuration.nix @@ -309,46 +309,18 @@ in # Allow everything from router (usefull for UPnP/IGD) iptables -A INPUT -s 192.168.1.254 -j ACCEPT - # Allow Docker containers to access a few things - iptables -N CONTAINERS - iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS + # Allow docker containers to access all ports + iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT - # Yugabyte YSQL - iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT - - # Specific rules for VPN nodes - iptables -N VPN - iptables -A INPUT -s 10.42.0.0/16 -j VPN - - # Allow server nodes to communicate between themselves on all ports - iptables -A VPN -s 10.42.0.2 -j ACCEPT - iptables -A VPN -s 10.42.0.21 -j ACCEPT - iptables -A VPN -s 10.42.0.22 -j ACCEPT - iptables -A VPN -s 10.42.0.23 -j ACCEPT - - # Allow all VPN users to access Nomad API - iptables -A VPN -p tcp --dport 4646 -j ACCEPT - - # Same for Consul API - iptables -A VPN -p tcp --dport 8500 -j ACCEPT - - # Same for YugabyteDB YSQL and Admin ports - iptables -A VPN -p tcp --dport 5433 -j ACCEPT - iptables -A VPN -p tcp --dport 7000 -j ACCEPT - - # Same for Netdata monitoring - iptables -A VPN -p tcp --dport 19999 -j ACCEPT + # Allow other nodes on VPN to access all ports + iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT ''; # When stopping firewall, delete all rules that were configured manually above extraStopCommands = '' iptables -D INPUT -s 192.168.1.254 -j ACCEPT - iptables -D INPUT -s 10.42.0.0/16 -j VPN - iptables -F VPN - iptables -X VPN - iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS - iptables -F CONTAINERS - iptables -X CONTAINERS + iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT + iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT ''; };