diff --git a/modules/clerie-firewall/default.nix b/modules/clerie-firewall/default.nix new file mode 100644 index 0000000..863ab46 --- /dev/null +++ b/modules/clerie-firewall/default.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + ip46tables = '' + ip46tables() { + iptables -w "$@" + ip6tables -w "$@" + } + ''; + + cfg = config.clerie.firewall; + + forwardFilterStartScript = pkgs.writeScriptBin "forward-filter-start" '' + #! ${pkgs.runtimeShell} -e + + ${ip46tables} + + ip46tables -D FORWARD -j forward-filter 2> /dev/null || true + ip46tables -F forward-filter 2> /dev/null || true + ip46tables -X forward-filter 2> /dev/null || true + + ip46tables -N forward-filter + + ${cfg.extraForwardFilterCommands} + + ip46tables -A FORWARD -j forward-filter + ''; + + forwardFilterStopScript = pkgs.writeScriptBin "forward-filter-stop" '' + #! ${pkgs.runtimeShell} -e + + ${ip46tables} + + ip46tables -D FORWARD -j forward-filter 2> /dev/null || true + ip46tables -F forward-filter 2> /dev/null || true + ip46tables -X forward-filter 2> /dev/null || true + ''; + + forwardMangleStartScript = pkgs.writeScriptBin "forward-mangle-start" '' + #! ${pkgs.runtimeShell} -e + + ${ip46tables} + + ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true + ip46tables -t mangle -F forward-mangle 2> /dev/null || true + ip46tables -t mangle -X forward-mangle 2> /dev/null || true + + ip46tables -t mangle -N forward-mangle + + ${cfg.extraForwardMangleCommands} + + ip46tables -t mangle -A FORWARD -j forward-mangle + ''; + + forwardMangleStopScript = pkgs.writeScriptBin "forward-mangle-stop" '' + #! ${pkgs.runtimeShell} -e + + ${ip46tables} + + ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true + ip46tables -t mangle -F forward-mangle 2> /dev/null || true + ip46tables -t mangle -X forward-mangle 2> /dev/null || true + ''; + +in + +{ + + options = { + + clerie.firewall = { + enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable the clerie firewall. It provides chains than can get cleanly set up and shut down. + ''; + }; + + extraForwardFilterCommands = mkOption { + type = types.lines; + default = ""; + }; + + extraForwardMangleCommands = mkOption { + type = types.lines; + default = ""; + }; + + }; + + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.iptables ]; + + systemd.services.forward-filter = { + description = "Forward Filter"; + wantedBy = [ "sysinit.target" ]; + wants = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = [ pkgs.iptables ]; + + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + unitConfig.DefaultDependencies = false; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "@${forwardFilterStartScript}/bin/forward-filter-start forward-filter-start"; + ExecStop = "@${forwardFilterStopScript}/bin/forward-filter-stop forward-filter-stop"; + }; + }; + + systemd.services.forward-mangle = { + description = "Forward Mangle"; + wantedBy = [ "sysinit.target" ]; + wants = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = [ pkgs.iptables ]; + + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + unitConfig.DefaultDependencies = false; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "@${forwardMangleStartScript}/bin/forward-mangle-start forward-mangle-start"; + ExecStop = "@${forwardMangleStopScript}/bin/forward-mangle-stop forward-mangle-stop"; + }; + }; + + }; + +} diff --git a/modules/default.nix b/modules/default.nix index eea78e0..798eeef 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,6 +5,7 @@ ./policyrouting ./akne ./anycast_healthchecker + ./clerie-firewall ./gre-tunnel ./minecraft-server ./monitoring