148 lines
3.7 KiB
Nix
148 lines
3.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
ip46tables = ''
|
|
ip46tables() {
|
|
iptables -w "$@"
|
|
ip6tables -w "$@"
|
|
}
|
|
'';
|
|
|
|
cfg = config.clerie.firewall;
|
|
|
|
forwardFilterStartScript = pkgs.writeScriptBin "forward-filter-start" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
${ip46tables}
|
|
|
|
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
|
|
ip46tables -F forward-filter 2> /dev/null || true
|
|
ip46tables -X forward-filter 2> /dev/null || true
|
|
|
|
ip46tables -N forward-filter
|
|
|
|
# Allow packets from existing connections
|
|
ip46tables -A forward-filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
${cfg.extraForwardFilterCommands}
|
|
|
|
ip46tables -A FORWARD -j forward-filter
|
|
'';
|
|
|
|
forwardFilterStopScript = pkgs.writeScriptBin "forward-filter-stop" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
${ip46tables}
|
|
|
|
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
|
|
ip46tables -F forward-filter 2> /dev/null || true
|
|
ip46tables -X forward-filter 2> /dev/null || true
|
|
'';
|
|
|
|
forwardMangleStartScript = pkgs.writeScriptBin "forward-mangle-start" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
${ip46tables}
|
|
|
|
ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
|
|
ip46tables -t mangle -F forward-mangle 2> /dev/null || true
|
|
ip46tables -t mangle -X forward-mangle 2> /dev/null || true
|
|
|
|
ip46tables -t mangle -N forward-mangle
|
|
|
|
${cfg.extraForwardMangleCommands}
|
|
|
|
ip46tables -t mangle -A FORWARD -j forward-mangle
|
|
'';
|
|
|
|
forwardMangleStopScript = pkgs.writeScriptBin "forward-mangle-stop" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
${ip46tables}
|
|
|
|
ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
|
|
ip46tables -t mangle -F forward-mangle 2> /dev/null || true
|
|
ip46tables -t mangle -X forward-mangle 2> /dev/null || true
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
clerie.firewall = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description =
|
|
''
|
|
Whether to enable the clerie firewall. It provides chains than can get cleanly set up and shut down.
|
|
'';
|
|
};
|
|
|
|
extraForwardFilterCommands = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
};
|
|
|
|
extraForwardMangleCommands = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [ pkgs.iptables ];
|
|
|
|
systemd.services.forward-filter = {
|
|
description = "Forward Filter";
|
|
wantedBy = [ "sysinit.target" ];
|
|
wants = [ "network-pre.target" ];
|
|
before = [ "network-pre.target" ];
|
|
after = [ "systemd-modules-load.service" ];
|
|
|
|
path = [ pkgs.iptables ];
|
|
|
|
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
|
unitConfig.DefaultDependencies = false;
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "@${forwardFilterStartScript}/bin/forward-filter-start forward-filter-start";
|
|
ExecStop = "@${forwardFilterStopScript}/bin/forward-filter-stop forward-filter-stop";
|
|
};
|
|
};
|
|
|
|
systemd.services.forward-mangle = {
|
|
description = "Forward Mangle";
|
|
wantedBy = [ "sysinit.target" ];
|
|
wants = [ "network-pre.target" ];
|
|
before = [ "network-pre.target" ];
|
|
after = [ "systemd-modules-load.service" ];
|
|
|
|
path = [ pkgs.iptables ];
|
|
|
|
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
|
unitConfig.DefaultDependencies = false;
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "@${forwardMangleStartScript}/bin/forward-mangle-start forward-mangle-start";
|
|
ExecStop = "@${forwardMangleStopScript}/bin/forward-mangle-stop forward-mangle-stop";
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
}
|