Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

many changes

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-06-03 13:49:35 +02:00
parent c9e4ab6af0
commit 5d0827848e
24 changed files with 844 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -30,7 +30,8 @@
iifname lo accept
iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
iifname { "server", "vserver", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "multimedia", "smart" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
# Accept mDNS for avahi reflection
iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept
@@ -78,6 +79,7 @@
# smart home coap
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept
# Forward to git server
oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept
@@ -91,6 +93,9 @@
# accept palword server
iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld"
# forward to ark server
oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"
# allow all established, related
ct state { established, related } accept comment "Allow established traffic"
@@ -121,13 +126,16 @@
chain prerouting {
type nat hook prerouting priority filter; policy accept;
iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50
iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201
iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201
}
# Setup NAT masquerading on external interfaces
chain postrouting {
type nat hook postrouting priority filter; policy accept;
oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
ip daddr 10.42.97.50 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade
}
'';
};