nixos-module/container/upstream: reflect connections to staticIpv4Address
This commit is contained in:
parent
675dc080e7
commit
c5f57bd8c1
|
@ -15,6 +15,8 @@ let
|
||||||
else null;
|
else null;
|
||||||
|
|
||||||
enabled = firstUpstreamInterface != null;
|
enabled = firstUpstreamInterface != null;
|
||||||
|
|
||||||
|
inherit (upstreamInterfaces.${firstUpstreamInterface}.upstream) staticIpv4Address;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
systemd.network.networks = {
|
systemd.network.networks = {
|
||||||
|
@ -56,7 +58,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
internalInterfaces = [ "core" ];
|
internalInterfaces = [ "core" ];
|
||||||
externalInterface = firstUpstreamInterface;
|
externalInterface = firstUpstreamInterface;
|
||||||
externalIP = upstreamInterfaces.${firstUpstreamInterface}.upstream.staticIpv4Address;
|
externalIP = staticIpv4Address;
|
||||||
extraCommands = ''
|
extraCommands = ''
|
||||||
# Prohibit SMTP except for servers
|
# Prohibit SMTP except for servers
|
||||||
iptables -N fwd_smtp
|
iptables -N fwd_smtp
|
||||||
|
@ -72,6 +74,16 @@ in
|
||||||
ip6tables -A fwd_smtp -j REJECT
|
ip6tables -A fwd_smtp -j REJECT
|
||||||
ip6tables -I FORWARD -p tcp --dport 25 -j fwd_smtp
|
ip6tables -I FORWARD -p tcp --dport 25 -j fwd_smtp
|
||||||
|
|
||||||
|
${lib.optionalString (staticIpv4Address != null) ''
|
||||||
|
# Allow connections to ${staticIpv4Address} from other hosts behind NAT
|
||||||
|
${lib.concatMapStrings (fwd: ''
|
||||||
|
iptables -t nat -t nat -A nixos-nat-pre \
|
||||||
|
-d ${staticIpv4Address} -p ${fwd.proto} \
|
||||||
|
--dport ${builtins.toString fwd.sourcePort} \
|
||||||
|
-j DNAT --to-destination ${fwd.destination}
|
||||||
|
'') config.networking.nat.forwardPorts}
|
||||||
|
''}
|
||||||
|
|
||||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||||
# our static prefixes
|
# our static prefixes
|
||||||
${lib.concatMapStringsSep "\n" (net: ''
|
${lib.concatMapStringsSep "\n" (net: ''
|
||||||
|
|
Loading…
Reference in New Issue