diff options
| author | sinanmohd <sinan@sinanmohd.com> | 2025-04-23 00:10:48 +0530 |
|---|---|---|
| committer | sinanmohd <sinan@sinanmohd.com> | 2025-04-23 00:10:48 +0530 |
| commit | 7e36e8160d2985ffb90f2198c755208cd598cd75 (patch) | |
| tree | bb197836ff29b2a6e6a7005c8da5d60f9cab5a5b /os/kay | |
| parent | fcc33bf3c389dbfce80eafcb1fb5287f1beeebc9 (diff) | |
os/kay/firewall: refactor
Diffstat (limited to 'os/kay')
| -rw-r--r-- | os/kay/modules/hurricane.nix | 6 | ||||
| -rw-r--r-- | os/kay/modules/router.nix | 18 | ||||
| -rw-r--r-- | os/kay/modules/wireguard.nix | 10 |
3 files changed, 20 insertions, 14 deletions
diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/hurricane.nix index 9aaf1d1..511b213 100644 --- a/os/kay/modules/hurricane.nix +++ b/os/kay/modules/hurricane.nix @@ -42,8 +42,12 @@ in rttablesExtraConfig = "200 hurricane"; }; - firewall.extraCommands = + firewall = { + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = + "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + }; }; sops.secrets = { diff --git a/os/kay/modules/router.nix b/os/kay/modules/router.nix index 5b0bda8..2e01789 100644 --- a/os/kay/modules/router.nix +++ b/os/kay/modules/router.nix @@ -43,13 +43,23 @@ in { allowedUDPPorts = [ 53 67 ]; allowedTCPPorts = [ 53 ]; extraCommands = '' - iptables -t nat -I POSTROUTING 1 \ - -s ${subnet}/${toString prefix} \ - -o ${wanInterface} \ - -j MASQUERADE iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu + + iptables -N inetfilter + iptables -A inetfilter -s 192.168.43.124/32 -m mac --mac-source 08:02:3c:d4:d9:f2 -j ACCEPT + iptables -A inetfilter -s 192.168.43.119/32 -m mac --mac-source a8:93:4a:50:c8:b3 -j ACCEPT + iptables -A inetfilter -j DROP + iptables -I FORWARD -i lan -o ppp0 -j inetfilter + ''; + extraStopCommands = '' + iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN \ + -o ${wanInterface} \ + -j TCPMSS --clamp-mss-to-pmtu + + iptables -w -t filter -F inetfilter + iptables -w -t filter -X inetfilter ''; }; }; diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix index 4256dd3..21cec06 100644 --- a/os/kay/modules/wireguard.nix +++ b/os/kay/modules/wireguard.nix @@ -52,16 +52,8 @@ in { externalInterface = wanInterface; internalInterfaces = [ wgInterface ]; }; - firewall = { - allowedUDPPorts = [ port ]; - extraCommands = '' - iptables -t nat -I POSTROUTING 1 \ - -s ${subnet}/${toString prefix} \ - -o ${wanInterface} \ - -j MASQUERADE - ''; - }; + firewall.allowedUDPPorts = [ port ]; wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf; }; |