From 74cd7c4859bb5242e3d18fcb13c1a22cb25af2d8 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 27 Apr 2025 23:33:14 +0200 Subject: [PATCH] feat: add custom rules for firewall --- modules/cloonar-assistant/default.nix | 32 +++++++++++++++++++ .../cloonar-assistant/networking/firewall.nix | 7 ++++ 2 files changed, 39 insertions(+) diff --git a/modules/cloonar-assistant/default.nix b/modules/cloonar-assistant/default.nix index 85bd894..58f8008 100644 --- a/modules/cloonar-assistant/default.nix +++ b/modules/cloonar-assistant/default.nix @@ -126,6 +126,38 @@ in { description = "Internal network interface"; }; }; + custom-rules = { + input = lib.mkOption { + type = with types; nullOr lines; + example = '' + iifname "lan" udp dport 22 counter accept comment "Wireguard traffic" + iifname "lan" udp dport 80 counter accept comment "Wireguard traffic" + ''; + description = "Custom iptables rules for INPUT chain"; + }; + forward = lib.mkOption { + type = with types; nullOr lines; + example = '' + iifname "lan" oifname "server" tcp dport { 22 } counter accept + iifname "lan" oifname "server" tcp dport { 80 } counter accept + ''; + description = "Custom iptables rules for FORWARD chain"; + }; + prerouting = lib.mkOption { + type = with types; nullOr lines; + example = '' + iifname "server" ip daddr 10.0.96.255 udp dport { 9 } dnat to 10.0.96.255 + ''; + description = "Custom iptables rules for nat chain"; + }; + postrouting = lib.mkOption { + type = with types; nullOr lines; + example = '' + oifname { "wan" } masquerade + ''; + description = "Custom iptables rules for nat chain"; + }; + }; }; }; imports = [ diff --git a/modules/cloonar-assistant/networking/firewall.nix b/modules/cloonar-assistant/networking/firewall.nix index a502d24..7af2733 100644 --- a/modules/cloonar-assistant/networking/firewall.nix +++ b/modules/cloonar-assistant/networking/firewall.nix @@ -61,6 +61,8 @@ in { iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + ${config.cloonar-assistant.firewall.custom-rules.input} + limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic" } @@ -98,6 +100,8 @@ in { iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld" + + ${config.cloonar-assistant.firewall.custom-rules.forward} ''} @@ -132,6 +136,7 @@ in { chain prerouting { type nat hook prerouting priority filter; policy accept; iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255 + ${config.cloonar-assistant.firewall.custom-rules.prerouting} } # Setup NAT masquerading on external interfaces @@ -142,6 +147,8 @@ in { ${lib.optionalString config.cloonar-assistant.vpn.enable '' oifname { "wg_cloonar" } masquerade ''} + + ${config.cloonar-assistant.firewall.custom-rules.postrouting} } ''; };