clerie/vcp-bula-nixfiles
1
0
Fork 0
Code Releases Activity

yate: configure firewall

Browse Source
This commit is contained in:
Ember 'n0emis' Keske 2022-07-20 09:20:39 +02:00
parent a70b6b35f1
commit 4741d1b67c
No known key found for this signature in database
GPG Key ID: 00FAF748B777CF10
1 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
hosts/yate/configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports =
@ -91,6 +91,52 @@
}; };
}; };
networking.firewall.enable = false;
networking.nftables = {
enable = true;
ruleset = let
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
in ''
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state {established, related} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
tcp dport 22 accept
tcp dport { ${tcpPorts} } accept
iif {vlan132, vlan133} accept
udp dport 5060 ip saddr { 10.42.10.9 } accept
udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::9 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
iif {vlan132, vlan133} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
ip saddr 10.42.201.0/24 accept
}
}
'';
};
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave