tixie/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

Drastically simplify firewall config

Browse source
This commit is contained in:
Alex 2022-01-19 13:30:18 +01:00
parent 4bc67c3906
commit b5ec581bc8
No known key found for this signature in database
GPG key ID: EDABF9711E244EB1
1 changed files with 6 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
configuration.nix
View file

@ -309,46 +309,18 @@ in
# Allow everything from router (usefull for UPnP/IGD) # Allow everything from router (usefull for UPnP/IGD)
iptables -A INPUT -s 192.168.1.254 -j ACCEPT iptables -A INPUT -s 192.168.1.254 -j ACCEPT
# Allow Docker containers to access a few things # Allow docker containers to access all ports
iptables -N CONTAINERS iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT
iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS
# Yugabyte YSQL # Allow other nodes on VPN to access all ports
iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT
# Specific rules for VPN nodes
iptables -N VPN
iptables -A INPUT -s 10.42.0.0/16 -j VPN
# Allow server nodes to communicate between themselves on all ports
iptables -A VPN -s 10.42.0.2 -j ACCEPT
iptables -A VPN -s 10.42.0.21 -j ACCEPT
iptables -A VPN -s 10.42.0.22 -j ACCEPT
iptables -A VPN -s 10.42.0.23 -j ACCEPT
# Allow all VPN users to access Nomad API
iptables -A VPN -p tcp --dport 4646 -j ACCEPT
# Same for Consul API
iptables -A VPN -p tcp --dport 8500 -j ACCEPT
# Same for YugabyteDB YSQL and Admin ports
iptables -A VPN -p tcp --dport 5433 -j ACCEPT
iptables -A VPN -p tcp --dport 7000 -j ACCEPT
# Same for Netdata monitoring
iptables -A VPN -p tcp --dport 19999 -j ACCEPT
''; '';
# When stopping firewall, delete all rules that were configured manually above # When stopping firewall, delete all rules that were configured manually above
extraStopCommands = '' extraStopCommands = ''
iptables -D INPUT -s 192.168.1.254 -j ACCEPT iptables -D INPUT -s 192.168.1.254 -j ACCEPT
iptables -D INPUT -s 10.42.0.0/16 -j VPN iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
iptables -F VPN iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT
iptables -X VPN
iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS
iptables -F CONTAINERS
iptables -X CONTAINERS
''; '';
}; };