From b5ec581bc8404ff993910e4ba28df564b0e15c02 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 19 Jan 2022 13:30:18 +0100
Subject: [PATCH] Drastically simplify firewall config

---
 configuration.nix | 40 ++++++----------------------------------
 1 file changed, 6 insertions(+), 34 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index c493496..ca403ec 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -309,46 +309,18 @@ in
       # Allow everything from router (usefull for UPnP/IGD)
       iptables -A INPUT -s 192.168.1.254 -j ACCEPT
 
-      # Allow Docker containers to access a few things
-      iptables -N CONTAINERS
-      iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS
+      # Allow docker containers to access all ports
+      iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT
 
-      # Yugabyte YSQL
-      iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT
-
-      # Specific rules for VPN nodes
-      iptables -N VPN
-      iptables -A INPUT -s 10.42.0.0/16 -j VPN
-
-      # Allow server nodes to communicate between themselves on all ports
-      iptables -A VPN -s 10.42.0.2 -j ACCEPT
-      iptables -A VPN -s 10.42.0.21 -j ACCEPT
-      iptables -A VPN -s 10.42.0.22 -j ACCEPT
-      iptables -A VPN -s 10.42.0.23 -j ACCEPT
-
-      # Allow all VPN users to access Nomad API
-      iptables -A VPN -p tcp --dport 4646 -j ACCEPT
-
-      # Same for Consul API
-      iptables -A VPN -p tcp --dport 8500 -j ACCEPT
-
-      # Same for YugabyteDB YSQL and Admin ports
-      iptables -A VPN -p tcp --dport 5433 -j ACCEPT
-      iptables -A VPN -p tcp --dport 7000 -j ACCEPT
-
-      # Same for Netdata monitoring
-      iptables -A VPN -p tcp --dport 19999 -j ACCEPT
+      # Allow other nodes on VPN to access all ports
+      iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT
     '';
 
     # When stopping firewall, delete all rules that were configured manually above
     extraStopCommands = ''
       iptables -D INPUT -s 192.168.1.254 -j ACCEPT
-      iptables -D INPUT -s 10.42.0.0/16 -j VPN
-      iptables -F VPN
-      iptables -X VPN
-      iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS
-      iptables -F CONTAINERS
-      iptables -X CONTAINERS
+      iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
+      iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT
     '';
   };