From 32f4b3bd84354a12b4bfcbe0343c4d52014d8a1c Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Tue, 12 Jul 2022 01:27:43 +0200
Subject: [PATCH] nixos-module/container/upstream: prohibit forwarding smtp
 except for serv

---
 nix/nixos-module/container/upstream.nix | 33 +++++++++++++++++++------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index e35ac4d..15dcebb 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -57,10 +57,24 @@ in
     internalInterfaces = [ "core" ];
     externalInterface = firstUpstreamInterface;
     externalIP = upstreamInterfaces.${firstUpstreamInterface}.upstream.staticIpv4Address;
-    extraCommands =
+    extraCommands = ''
+      # Prohibit SMTP except for servers
+      iptables -N fwd_smtp
+      iptables -A fwd_smtp --source ${config.site.net.serv.subnet4} -j RETURN
+      iptables -A fwd_smtp -j REJECT
+      iptables -I FORWARD -p tcp --dport 25 -j fwd_smtp
+
+      ip6tables -N fwd_smtp
+      ${lib.concatMapStrings (subnet6: ''
+        ip6tables -A fwd_smtp --source ${subnet6} -j RETURN
+        ip6tables -A fwd_smtp --dest ${subnet6} -j RETURN
+      '') (builtins.attrValues config.site.net.serv.subnets6)}
+      ip6tables -A fwd_smtp -j REJECT
+      ip6tables -I FORWARD -p tcp --dport 25 -j fwd_smtp
+
       # Provide IPv6 upstream for everyone, using NAT66 when not from
       # our static prefixes
-      lib.concatMapStringsSep "\n" (net: ''
+      ${lib.concatMapStringsSep "\n" (net: ''
         ip6tables -t nat -N ${net}_nat || \
           ip6tables -t nat -F ${net}_nat
         ${lib.concatMapStringsSep "\n" (subnet: ''
@@ -73,13 +87,18 @@ in
         ip6tables -t nat -A POSTROUTING \
           -o ${net} \
           -j ${net}_nat
-      '') (builtins.attrNames upstreamInterfaces);
-    extraStopCommands =
-      lib.concatMapStringsSep "\n" (net: ''
-        ip6tables -t nat -F POSTROUTING 2>/dev/null || true
+      '') (builtins.attrNames upstreamInterfaces)}
+    '';
+    extraStopCommands = ''
+      iptables -F FORWARD 2>/dev/null || true
+      ip6tables -F FORWARD 2>/dev/null || true
+
+      ip6tables -t nat -F POSTROUTING 2>/dev/null || true
+      ${lib.concatMapStringsSep "\n" (net: ''
         ip6tables -t nat -F ${net}_nat 2>/dev/null || true
         ip6tables -t nat -X ${net}_nat 2>/dev/null || true
-      '') (builtins.attrNames upstreamInterfaces);
+      '') (builtins.attrNames upstreamInterfaces)}
+    '';
 
     forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
       removeAttrs forwardedPort ["reflect"] // {