lytedev/nix
1
0
Fork 1
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

Services are publically available again

Browse source
This commit is contained in:
Daniel Flanagan 2024-07-18 16:00:29 -05:00
parent 7fbe64b448
commit 172a97176d
1 changed files with 24 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
nixos/router.nix
View file

@ -62,7 +62,7 @@
"net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2; "net.ipv6.conf.default.use_tempaddr" = lib.mkForce 2;
"net.ipv6.conf.${interfaces.wan.name}.use_tempaddr" = 2; "net.ipv6.conf.${interfaces.wan.name}.use_tempaddr" = 2;
"net.ipv6.conf.${interfaces.wan.name}.addr_gen_mode" = 2; # "net.ipv6.conf.${interfaces.wan.name}.addr_gen_mode" = 2;
}; };
in { in {
imports = [ imports = [
@ -96,12 +96,14 @@ in {
# disable some of the sane defaults # disable some of the sane defaults
useDHCP = false; useDHCP = false;
nat.enable = false;
firewall.enable = false; firewall.enable = false;
# use systemd.network for network interface configuration # use systemd.network for network interface configuration
useNetworkd = true; useNetworkd = true;
# maybe we need this?
nat.enable = true;
extraHosts = '' extraHosts = ''
127.0.0.1 localhost 127.0.0.1 localhost
127.0.0.2 ${hostname}.${domain} ${hostname} 127.0.0.2 ${hostname}.${domain} ${hostname}
@ -135,10 +137,10 @@ in {
# } # }
# TODO: maybe tailnet? # TODO: maybe tailnet?
chain my_input_lan { # chain my_input_lan {
udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply" # udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies" # udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
} # }
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
@ -182,13 +184,23 @@ in {
iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan" iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan"
} }
chain forward { chain output {
type filter hook forward priority filter; policy drop; type filter hook output priority 0;
accept
iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
iifname { "tailscale0" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN"
} }
chain forward {
type filter hook forward priority 0;
accept
}
# chain forward {
# type filter hook forward priority filter; policy drop;
# iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
# iifname { "tailscale0" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
# iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN"
# }
} }
table ip nat { table ip nat {