43 lines
1.5 KiB
Nix
43 lines
1.5 KiB
Nix
{
|
|
networking.firewall.enable = true;
|
|
networking.firewall.allowedTCPPorts = [8000];
|
|
services.ferm = {
|
|
enable = true;
|
|
config = ''
|
|
domain ip table filter chain INPUT proto icmp ACCEPT;
|
|
domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
|
|
domain (ip ip6) table filter {
|
|
chain INPUT {
|
|
policy DROP;
|
|
interface lo ACCEPT;
|
|
interface tailscale0 ACCEPT;
|
|
interface wg42_+ ACCEPT;
|
|
interface wg0 ACCEPT;
|
|
proto tcp dport (22 53 80 443 6900 8000 http https ) ACCEPT;
|
|
proto udp dport (22 53 480:510 6900 8000 ) ACCEPT;
|
|
proto tcp dport (179) ACCEPT;
|
|
# dns
|
|
proto (udp tcp) dport domain ACCEPT;
|
|
mod state state (INVALID) DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
}
|
|
chain OUTPUT {
|
|
policy ACCEPT;
|
|
}
|
|
chain FORWARD {
|
|
policy DROP;
|
|
# allow intern routing and dn42 forwarding
|
|
interface wg42_+ outerface wg42_+ ACCEPT;
|
|
interface tailscale0 outerface tailscale0 ACCEPT;
|
|
interface tailscale0 outerface wg42_+ ACCEPT;
|
|
# but dn42 -> intern only with execptions
|
|
interface wg42_+ outerface tailscale0 {
|
|
proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind tailscale0 Interfaces
|
|
proto tcp dport (ssh) ACCEPT;
|
|
mod state state (ESTABLISHED) ACCEPT;
|
|
}
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
}
|