refactors firewall configuration to enhance security and internal communication rules

2024-11-16 02:53:12 +01:00
parent 9b1ceddeb7
commit a068565066
1 changed files with 70 additions and 63 deletions
--- a/config/nixos/common/server.nix
+++ b/config/nixos/common/server.nix
@ -1,6 +1,5 @@
 { config, pkgs, ... }:
 {
-  # OpenSSH server
  services.openssh = {
    enable = true;
    ports = [ 400 ];
@ -16,74 +15,82 @@
    };
  };

-  # Open ports in the firewall
-  networking.firewall = {
-    enable = true;
+  networking = {
+    nat.enable = true;
+    nat.enableIPv6 = true;

-    # Ports accessible from anywhere
-    allowedTCPPorts = [
-      80 # HTTP
-      443 # HTTPS
-      22 # Git over SSH
-      400 # SSH
-      25565 # Minecraft
-      3456 # Minecraft (Bluemap)
-      32400 # Plex
-      8096 # Jellyfin
-    ];
-    allowedUDPPorts = [
-      51820 # WireGuard
-    ];
+    firewall = {
+      enable = true;

-    # Common internal ports for docker0, tailscale0, and LAN
-    interfaces =
-      let
-        internalPorts = [
-          81 # Nginx Proxy Manager
-          5334 # Duplicati Notifications
-          7788 # Sabnzbd
-          8085 # Qbittorrent
-          3030 # Gitea
-          5080 # Factorio Server Manager
-          5555 # Overseerr
-          9696 # Prowlarr
-          7878 # Radarr
-          8686 # Lidarr
-          8989 # Sonarr
-          8386 # Whisparr
-          8191 # Flaresolerr
-          9999 # Stash
-        ];
-      in
-      {
-        "docker0".allowedTCPPorts = internalPorts;
-        "tailscale0".allowedTCPPorts = internalPorts;
-        "enp39s0".allowedTCPPorts = internalPorts;
-      };
+      # Only truly external ports
+      allowedTCPPorts = [
+        80 # HTTP
+        443 # HTTPS
+        22 # Git over SSH
+        400 # SSH
+        25565 # Minecraft
+        3456 # Minecraft (Bluemap)
+        32400 # Plex
+        8096 # Jellyfin
+      ];

-    extraCommands = ''
-      # Allow established connections
-      iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+      allowedUDPPorts = [
+        51820 # WireGuard
+      ];

-      # Allow internal network traffic
-      iptables -A INPUT -i docker0 -j ACCEPT
-      iptables -A INPUT -i tailscale0 -j ACCEPT
-      iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
+      # Internal ports
+      interfaces =
+        let
+          internalPorts = [
+            81 # Nginx Proxy Manager
+            5334 # Duplicati Notifications
+            7788 # Sabnzbd
+            8085 # Qbittorrent
+            3030 # Gitea
+            5080 # Factorio Server Manager
+            5555 # Overseerr
+            9696 # Prowlarr
+            7878 # Radarr
+            8686 # Lidarr
+            8989 # Sonarr
+            8386 # Whisparr
+            8191 # Flaresolerr
+            9999 # Stash
+          ];
+        in
+        {
+          "docker0".allowedTCPPorts = internalPorts;
+          "tailscale0".allowedTCPPorts = internalPorts;
+          "enp39s0".allowedTCPPorts = internalPorts;
+        };

-      # Allow all Docker-related traffic
-      iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT  # Covers all Docker network ranges
-      iptables -A FORWARD -s 172.16.0.0/12 -j ACCEPT
-      iptables -A FORWARD -d 172.16.0.0/12 -j ACCEPT
+      extraCommands = ''
+        # Allow established connections
+        iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

-      # Allow Docker container communication
-      iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
+        # Block WAN access to internal services
+        iptables -I INPUT -i enp39s0 ! -s 192.168.0.0/16 -j DROP

-      # Allow traffic between different Docker networks
-      iptables -A FORWARD -i br-* -o br-* -j ACCEPT
-      iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
-      iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
-    '';
-    # Required for Tailscale
-    checkReversePath = "loose";
+        # Allow internal network traffic
+        iptables -A INPUT -i docker0 -j ACCEPT
+        iptables -A INPUT -i tailscale0 -j ACCEPT
+        iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
+
+        # Allow Docker inter-network communication
+        iptables -A FORWARD -i br-* -o br-* -j ACCEPT
+        iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
+        iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
+
+        # Allow Docker subnet traffic but only internally
+        iptables -A INPUT -s 172.16.0.0/12 -i docker0 -j ACCEPT
+        iptables -A INPUT -s 172.16.0.0/12 -i br-+ -j ACCEPT
+
+        # Allow Docker container communication
+        iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
+      '';
+
+      # Required for Tailscale
+      checkReversePath = "loose";
+    };
  };
 }