Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix firewall

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-12-03 22:48:56 +01:00
parent 5d58ae7904
commit 1a4956af6e
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -70,7 +70,7 @@
# Allow networks to access the dns and dhcp # Allow networks to access the dns and dhcp
iifname { iifname {
"lan", "lan",
"vb-gitea", "vb-*",
"podman0", "podman0",
"infrastructure", "infrastructure",
"wg_cloonar", "wg_cloonar",
@@ -80,7 +80,7 @@
iifname { iifname {
"lan", "lan",
"podman0", "podman0",
"vb-gitea", "vb-*",
"infrastructure", "infrastructure",
"wg_cloonar", "wg_cloonar",
"smart", "smart",
@@ -111,14 +111,14 @@
# lan and vpn to any # lan and vpn to any
# TODO: disable wan when finished # TODO: disable wan when finished
iifname { "wan", "lan", "vb-gitea", "podman0", "wg_cloonar" } oifname { "lan", "vb-gitea", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
# Allow trusted network WAN access # Allow trusted network WAN access
iifname { iifname {
"lan", "lan",
"infrastructure", "infrastructure",
"vb-gitea", "vb-*",
"podman0", "podman0",
"multimedia", "multimedia",
"smart", "smart",
@@ -131,7 +131,7 @@
table ip nat { table ip nat {
chain post { chain post {
iifname { "vb-*" } oifname { "server" } 10.42.97.1 comment "from internal interfaces" iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
} }
chain prerouting { chain prerouting {
type nat hook prerouting priority filter; policy accept; type nat hook prerouting priority filter; policy accept;
@@ -140,7 +140,7 @@
# Setup NAT masquerading on external interfaces # Setup NAT masquerading on external interfaces
chain postrouting { chain postrouting {
type nat hook postrouting priority filter; policy accept; type nat hook postrouting priority filter; policy accept;
oifname { "wan", "server", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
} }
} }
''; '';