refactors firewall configuration to enhance security and internal communication rules

2024-11-16 02:53:12 +01:00
parent 9b1ceddeb7
commit a068565066
1 changed files with 70 additions and 63 deletions
--- a/config/nixos/common/server.nix
+++ b/config/nixos/common/server.nix
@ -1,6 +1,5 @@
 { config, pkgs, ... }:
 {
-  # OpenSSH server
  services.openssh = {
    enable = true;
    ports = [ 400 ];
@ -16,11 +15,14 @@
    };
  };

-  # Open ports in the firewall
-  networking.firewall = {
+  networking = {
+    nat.enable = true;
+    nat.enableIPv6 = true;
+
+    firewall = {
      enable = true;

-    # Ports accessible from anywhere
+      # Only truly external ports
      allowedTCPPorts = [
        80 # HTTP
        443 # HTTPS
@ -31,11 +33,12 @@
        32400 # Plex
        8096 # Jellyfin
      ];
+
      allowedUDPPorts = [
        51820 # WireGuard
      ];

-    # Common internal ports for docker0, tailscale0, and LAN
+      # Internal ports
      interfaces =
        let
          internalPorts = [
@ -65,25 +68,29 @@
        # Allow established connections
        iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

+        # Block WAN access to internal services
+        iptables -I INPUT -i enp39s0 ! -s 192.168.0.0/16 -j DROP
+
        # Allow internal network traffic
        iptables -A INPUT -i docker0 -j ACCEPT
        iptables -A INPUT -i tailscale0 -j ACCEPT
        iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

-      # Allow all Docker-related traffic
-      iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT  # Covers all Docker network ranges
-      iptables -A FORWARD -s 172.16.0.0/12 -j ACCEPT
-      iptables -A FORWARD -d 172.16.0.0/12 -j ACCEPT
-
-      # Allow Docker container communication
-      iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
-
-      # Allow traffic between different Docker networks
+        # Allow Docker inter-network communication
        iptables -A FORWARD -i br-* -o br-* -j ACCEPT
        iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
        iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
+
+        # Allow Docker subnet traffic but only internally
+        iptables -A INPUT -s 172.16.0.0/12 -i docker0 -j ACCEPT
+        iptables -A INPUT -s 172.16.0.0/12 -i br-+ -j ACCEPT
+
+        # Allow Docker container communication
+        iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
      '';
+
      # Required for Tailscale
      checkReversePath = "loose";
    };
+  };
 }