diff options
| author | lassulus <lass@aidsballs.de> | 2016-06-30 21:51:09 +0200 | 
|---|---|---|
| committer | lassulus <lass@aidsballs.de> | 2016-06-30 21:51:09 +0200 | 
| commit | b3fa9cbd7e4bc8fe950aed139d857a2f14775b94 (patch) | |
| tree | 223af7528e038008bf8de4252dc986910f380f13 /mv/3modules/iptables.nix | |
| parent | eac3b2f4b46c9046205bc2507cd8fab3840929bb (diff) | |
| parent | 4d63548868ec4806d62d82337bb278e6dd34f21e (diff) | |
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'mv/3modules/iptables.nix')
| -rw-r--r-- | mv/3modules/iptables.nix | 125 | 
1 files changed, 0 insertions, 125 deletions
| diff --git a/mv/3modules/iptables.nix b/mv/3modules/iptables.nix deleted file mode 100644 index b2b41bf00..000000000 --- a/mv/3modules/iptables.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -let -  cfg = config.tv.iptables; - -  out = { -    options.tv.iptables = api; -    config = lib.mkIf cfg.enable imp; -  }; - -  api = { -    enable = mkEnableOption "tv.iptables"; - -    input-internet-accept-new-tcp = mkOption { -      type = with types; listOf (either int str); -      default = []; -    }; - -    input-retiolum-accept-new-tcp = mkOption { -      type = with types; listOf (either int str); -      default = []; -    }; -  }; - -  imp = { -    networking.firewall.enable = false; - -    systemd.services.tv-iptables = { -      description = "tv-iptables"; -      wantedBy = [ "network-pre.target" ]; -      before = [ "network-pre.target" ]; -      after = [ "systemd-modules-load.service" ]; - -      path = with pkgs; [ -        iptables -      ]; - -      restartIfChanged = true; - -      serviceConfig = { -        Type = "simple"; -        RemainAfterExit = true; -        Restart = "always"; -        ExecStart = "@${startScript} tv-iptables_start"; -      }; -    }; -  }; - - -  accept-new-tcp = port: -    "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; - -  rules = iptables-version: -    pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' -      *nat -      :PREROUTING ACCEPT [0:0] -      :INPUT ACCEPT [0:0] -      :OUTPUT ACCEPT [0:0] -      :POSTROUTING ACCEPT [0:0] -      ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] -        ++ [ -          "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" -          "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" -        ] -      )} -      COMMIT -      *filter -      :INPUT DROP [0:0] -      :FORWARD DROP [0:0] -      :OUTPUT ACCEPT [0:0] -      :Retiolum - [0:0] -      ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([] -        ++ [ -          "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" -          "-i lo -j ACCEPT" -        ] -        ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) -        ++ ["-i retiolum -j Retiolum"] -      )} -      ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] -        ++ { -          ip4tables = [ -            "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" -          ]; -          ip6tables = [ -            "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" -          ]; -        }."ip${toString iptables-version}tables" -        ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) -        ++ { -          ip4tables = [ -            "-p tcp -j REJECT --reject-with tcp-reset" -            "-p udp -j REJECT --reject-with icmp-port-unreachable" -            "-j REJECT --reject-with icmp-proto-unreachable" -          ]; -          ip6tables = [ -            "-p tcp -j REJECT --reject-with tcp-reset" -            "-p udp -j REJECT --reject-with icmp6-port-unreachable" -            "-j REJECT" -          ]; -        }."ip${toString iptables-version}tables" -      )} -      COMMIT -    ''; - -  startScript = pkgs.writeScript "tv-iptables_start" '' -    #! /bin/sh -    set -euf -    iptables-restore < ${rules 4} -    ip6tables-restore < ${rules 6} -  ''; - -in -out - -#let -#  cfg = config.tv.iptables; -#  arg' = arg // { inherit cfg; }; -#in -# -#{ -#  options.tv.iptables = import ./options.nix arg'; -#  config = lib.mkIf cfg.enable (import ./config.nix arg'); -#} | 
