Merge pull request #11681 from jgillich/upnpd-fw

miniupnpd: firewall config
2024-12-26 12:53:59 +03:00 · 2015-12-13 23:03:11 +03:00 · 2015-12-13 23:03:11 +03:00 · 7bb418e02c
commit 7bb418e02c
parent f0cdf17ee8 0f1de2ea9f
1 changed files with 32 additions and 3 deletions
--- a/nixos/modules/services/networking/miniupnpd.nix
+++ b/nixos/modules/services/networking/miniupnpd.nix
@ -30,7 +30,7 @@ in

      internalIPs = mkOption {
        type = types.listOf types.str;
-        example = [ "192.168.1.0/24" ];
+        example = [ "192.168.1.1/24" "enp1s0" ];
        description = ''
          The IP address ranges to listen on.
        '';
@ -57,13 +57,42 @@ in
  };

  config = mkIf cfg.enable {
+    # from miniupnpd/netfilter/iptables_init.sh
+    networking.firewall.extraCommands = ''
+      iptables -t nat -N MINIUPNPD
+      iptables -t nat -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
+      iptables -t mangle -N MINIUPNPD
+      iptables -t mangle -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
+      iptables -t filter -N MINIUPNPD
+      iptables -t filter -A FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD
+      iptables -t nat -N MINIUPNPD-PCP-PEER
+      iptables -t nat -A POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER
+    '';
+
+    # from miniupnpd/netfilter/iptables_removeall.sh
+    networking.firewall.extraStopCommands = ''
+      iptables -t nat -F MINIUPNPD
+      iptables -t nat -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
+      iptables -t nat -X MINIUPNPD
+      iptables -t mangle -F MINIUPNPD
+      iptables -t mangle -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD
+      iptables -t mangle -X MINIUPNPD
+      iptables -t filter -F MINIUPNPD
+      iptables -t filter -D FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD
+      iptables -t filter -X MINIUPNPD
+      iptables -t nat -F MINIUPNPD-PCP-PEER
+      iptables -t nat -D POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER
+      iptables -t nat -X MINIUPNPD-PCP-PEER
+    '';
+
    systemd.services.miniupnpd = {
      description = "MiniUPnP daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.miniupnpd ];
      serviceConfig = {
-        ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -d -f ${configFile}";
+        ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -f ${configFile}";
+        PIDFile = "/var/run/miniupnpd.pid";
+        Type = "forking";
      };
    };
  };