Cloonar/cloonar-assistant
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add custom rules for firewall

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-04-27 23:33:14 +02:00
parent 5de8b96816
commit 74cd7c4859
2 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
modules/cloonar-assistant/default.nix
View File

@@ -126,6 +126,38 @@ in {
description = "Internal network interface"; description = "Internal network interface";
}; };
}; };
custom-rules = {
input = lib.mkOption {
type = with types; nullOr lines;
example = ''
iifname "lan" udp dport 22 counter accept comment "Wireguard traffic"
iifname "lan" udp dport 80 counter accept comment "Wireguard traffic"
'';
description = "Custom iptables rules for INPUT chain";
};
forward = lib.mkOption {
type = with types; nullOr lines;
example = ''
iifname "lan" oifname "server" tcp dport { 22 } counter accept
iifname "lan" oifname "server" tcp dport { 80 } counter accept
'';
description = "Custom iptables rules for FORWARD chain";
};
prerouting = lib.mkOption {
type = with types; nullOr lines;
example = ''
iifname "server" ip daddr 10.0.96.255 udp dport { 9 } dnat to 10.0.96.255
'';
description = "Custom iptables rules for nat chain";
};
postrouting = lib.mkOption {
type = with types; nullOr lines;
example = ''
oifname { "wan" } masquerade
'';
description = "Custom iptables rules for nat chain";
};
};
}; };
}; };
imports = [ imports = [

7
modules/cloonar-assistant/networking/firewall.nix
View File

@@ -61,6 +61,8 @@ in {
iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
${config.cloonar-assistant.firewall.custom-rules.input}
limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic" limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic"
} }
@@ -98,6 +100,8 @@ in {
iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept
iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept
iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld" iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"
${config.cloonar-assistant.firewall.custom-rules.forward}
''} ''}
@@ -132,6 +136,7 @@ in {
chain prerouting { chain prerouting {
type nat hook prerouting priority filter; policy accept; type nat hook prerouting priority filter; policy accept;
iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255 iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
${config.cloonar-assistant.firewall.custom-rules.prerouting}
} }
# Setup NAT masquerading on external interfaces # Setup NAT masquerading on external interfaces
@@ -142,6 +147,8 @@ in {
${lib.optionalString config.cloonar-assistant.vpn.enable '' ${lib.optionalString config.cloonar-assistant.vpn.enable ''
oifname { "wg_cloonar" } masquerade oifname { "wg_cloonar" } masquerade
''} ''}
${config.cloonar-assistant.firewall.custom-rules.postrouting}
} }
''; '';
}; };