mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-10-21 04:42:07 +03:00
firewall.nix: Allow specifying trusted network interfaces
Trusted network interfaces (such as "lo") will accept any incoming traffic.
This commit is contained in:
parent
1e666c10fa
commit
d4af6edd5e
@ -98,6 +98,15 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.trustedInterfaces = mkOption {
|
||||||
|
type = types.list types.string;
|
||||||
|
description =
|
||||||
|
''
|
||||||
|
Traffic coming in from these interfaces will be accepted
|
||||||
|
unconditionally.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = mkOption {
|
networking.firewall.allowedTCPPorts = mkOption {
|
||||||
default = [];
|
default = [];
|
||||||
example = [ 22 80 ];
|
example = [ 22 80 ];
|
||||||
@ -155,6 +164,8 @@ in
|
|||||||
# holds).
|
# holds).
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
networking.firewall.trustedInterfaces = [ "lo" ];
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.iptables ];
|
environment.systemPackages = [ pkgs.iptables ];
|
||||||
|
|
||||||
boot.kernelModules = [ "nf_conntrack_ftp" ];
|
boot.kernelModules = [ "nf_conntrack_ftp" ];
|
||||||
@ -222,8 +233,10 @@ in
|
|||||||
# The "nixos-fw" chain does the actual work.
|
# The "nixos-fw" chain does the actual work.
|
||||||
ip46tables -N nixos-fw
|
ip46tables -N nixos-fw
|
||||||
|
|
||||||
# Accept all traffic on the loopback interface.
|
# Accept all traffic on the trusted interfaces.
|
||||||
ip46tables -A nixos-fw -i lo -j nixos-fw-accept
|
${flip concatMapStrings cfg.trustedInterfaces (iface: ''
|
||||||
|
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
|
||||||
|
'')}
|
||||||
|
|
||||||
# Accept packets from established or related connections.
|
# Accept packets from established or related connections.
|
||||||
ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept
|
ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept
|
||||||
|
Loading…
Reference in New Issue
Block a user