vleeuwenmenno/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactors firewall configuration to enhance security and internal communication rules

Browse Source
This commit is contained in:
Menno van Leeuwen
2024-11-16 02:53:12 +01:00
parent 9b1ceddeb7
commit a068565066
1 changed files with 70 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
config/nixos/common/server.nix
View File

@ -1,6 +1,5 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
# OpenSSH server
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ 400 ]; ports = [ 400 ];
@ -16,11 +15,14 @@
}; };
}; };
# Open ports in the firewall networking = {
networking.firewall = { nat.enable = true;
nat.enableIPv6 = true;
firewall = {
enable = true; enable = true;
# Ports accessible from anywhere # Only truly external ports
allowedTCPPorts = [ allowedTCPPorts = [
80 # HTTP 80 # HTTP
443 # HTTPS 443 # HTTPS
@ -31,11 +33,12 @@
32400 # Plex 32400 # Plex
8096 # Jellyfin 8096 # Jellyfin
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
51820 # WireGuard 51820 # WireGuard
]; ];
# Common internal ports for docker0, tailscale0, and LAN # Internal ports
interfaces = interfaces =
let let
internalPorts = [ internalPorts = [
@ -65,25 +68,29 @@
# Allow established connections # Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Block WAN access to internal services
iptables -I INPUT -i enp39s0 ! -s 192.168.0.0/16 -j DROP
# Allow internal network traffic # Allow internal network traffic
iptables -A INPUT -i docker0 -j ACCEPT iptables -A INPUT -i docker0 -j ACCEPT
iptables -A INPUT -i tailscale0 -j ACCEPT iptables -A INPUT -i tailscale0 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
# Allow all Docker-related traffic # Allow Docker inter-network communication
iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT # Covers all Docker network ranges
iptables -A FORWARD -s 172.16.0.0/12 -j ACCEPT
iptables -A FORWARD -d 172.16.0.0/12 -j ACCEPT
# Allow Docker container communication
iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
# Allow traffic between different Docker networks
iptables -A FORWARD -i br-* -o br-* -j ACCEPT iptables -A FORWARD -i br-* -o br-* -j ACCEPT
iptables -A FORWARD -i docker0 -o br-* -j ACCEPT iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
iptables -A FORWARD -i br-* -o docker0 -j ACCEPT iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
# Allow Docker subnet traffic but only internally
iptables -A INPUT -s 172.16.0.0/12 -i docker0 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -i br-+ -j ACCEPT
# Allow Docker container communication
iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
''; '';
# Required for Tailscale # Required for Tailscale
checkReversePath = "loose"; checkReversePath = "loose";
}; };
};
} }