zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 5 Pull Requests 1 Releases Wiki Activity

nixos-module/container/upstream: prohibit forwarding smtp except for serv

This commit is contained in:
Astro 2022-07-12 01:27:43 +02:00
parent 99dbdf23ff
commit 32f4b3bd84
1 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
nix/nixos-module/container/upstream.nix
View File

@ -57,10 +57,24 @@ in
internalInterfaces = [ "core" ]; internalInterfaces = [ "core" ];
externalInterface = firstUpstreamInterface; externalInterface = firstUpstreamInterface;
externalIP = upstreamInterfaces.${firstUpstreamInterface}.upstream.staticIpv4Address; externalIP = upstreamInterfaces.${firstUpstreamInterface}.upstream.staticIpv4Address;
extraCommands = extraCommands = ''
# Prohibit SMTP except for servers
iptables -N fwd_smtp
iptables -A fwd_smtp --source ${config.site.net.serv.subnet4} -j RETURN
iptables -A fwd_smtp -j REJECT
iptables -I FORWARD -p tcp --dport 25 -j fwd_smtp
ip6tables -N fwd_smtp
${lib.concatMapStrings (subnet6: ''
ip6tables -A fwd_smtp --source ${subnet6} -j RETURN
ip6tables -A fwd_smtp --dest ${subnet6} -j RETURN
'') (builtins.attrValues config.site.net.serv.subnets6)}
ip6tables -A fwd_smtp -j REJECT
ip6tables -I FORWARD -p tcp --dport 25 -j fwd_smtp
# Provide IPv6 upstream for everyone, using NAT66 when not from # Provide IPv6 upstream for everyone, using NAT66 when not from
# our static prefixes # our static prefixes
lib.concatMapStringsSep "\n" (net: '' ${lib.concatMapStringsSep "\n" (net: ''
ip6tables -t nat -N ${net}_nat || \ ip6tables -t nat -N ${net}_nat || \
ip6tables -t nat -F ${net}_nat ip6tables -t nat -F ${net}_nat
${lib.concatMapStringsSep "\n" (subnet: '' ${lib.concatMapStringsSep "\n" (subnet: ''
@ -73,13 +87,18 @@ in
ip6tables -t nat -A POSTROUTING \ ip6tables -t nat -A POSTROUTING \
-o ${net} \ -o ${net} \
-j ${net}_nat -j ${net}_nat
'') (builtins.attrNames upstreamInterfaces); '') (builtins.attrNames upstreamInterfaces)}
extraStopCommands = '';
lib.concatMapStringsSep "\n" (net: '' extraStopCommands = ''
ip6tables -t nat -F POSTROUTING 2>/dev/null || true iptables -F FORWARD 2>/dev/null || true
ip6tables -F FORWARD 2>/dev/null || true
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
${lib.concatMapStringsSep "\n" (net: ''
ip6tables -t nat -F ${net}_nat 2>/dev/null || true ip6tables -t nat -F ${net}_nat 2>/dev/null || true
ip6tables -t nat -X ${net}_nat 2>/dev/null || true ip6tables -t nat -X ${net}_nat 2>/dev/null || true
'') (builtins.attrNames upstreamInterfaces); '') (builtins.attrNames upstreamInterfaces)}
'';
forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort: forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
removeAttrs forwardedPort ["reflect"] // { removeAttrs forwardedPort ["reflect"] // {