vleeuwenmenno/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adds iptables rules to allow established connections, internal network traffic, and Docker communication

Browse Source
This commit is contained in:
Menno van Leeuwen 2024-11-16 03:08:23 +01:00
parent a242530770
commit 3cb256f6e5
Signed by: vleeuwenmenno
SSH Key Fingerprint: SHA256:OJFmjANpakwD3F2Rsws4GLtbdz1TJ5tkQF0RZmF0TRE
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
config/nixos/common/server.nix
View File

@ -22,7 +22,7 @@
firewall = { firewall = {
enable = true; enable = true;
# Only truly external ports # External ports
allowedTCPPorts = [ allowedTCPPorts = [
80 # HTTP 80 # HTTP
443 # HTTPS 443 # HTTPS
@ -64,6 +64,24 @@
"enp39s0".allowedTCPPorts = internalPorts; "enp39s0".allowedTCPPorts = internalPorts;
}; };
extraCommands = ''
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow internal network traffic
iptables -A INPUT -i docker0 -j ACCEPT
iptables -A INPUT -i tailscale0 -j ACCEPT
iptables -A INPUT -s 192.168.86.0/24 -j ACCEPT
# Allow Docker container communication
iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
# Allow traffic between different Docker networks
iptables -A FORWARD -i br-* -o br-* -j ACCEPT
iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
'';
# Required for Tailscale # Required for Tailscale
checkReversePath = "loose"; checkReversePath = "loose";
}; };