From b6e474132028c32d136b1663f43d6b4773471930 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Tue, 7 Dec 2021 17:25:59 +0000 Subject: [PATCH] etheroute-lon01: stateful firewall for forwarded packets --- ops/nixos/etheroute-lon01/default.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 5bc8a7f47a..38b5e64ef4 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -141,6 +141,33 @@ in { virtual = true; }; firewall.allowedTCPPorts = [ 80 443 ]; + firewall.extraCommands = '' + # Flush old rules. + ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true + for chain in lukegb-forward lukegb-fwd-accept lukegb-fwd-reject; do + ip46tables -F "$chain" 2>/dev/null || true + ip46tables -X "$chain" 2>/dev/null || true + done + + ip46tables -N lukegb-fwd-accept + ip46tables -A lukegb-fwd-accept -j ACCEPT + + ip46tables -N lukegb-fwd-reject + ip46tables -A lukegb-fwd-reject -p tcp ! --syn -j REJECT --reject-with tcp-reset + ip46tables -A lukegb-fwd-reject -j REJECT + + ip46tables -N lukegb-forward + + # Accept from "trusted" quadv1-4 interface + ip46tables -A lukegb-forward -i quadv1-4 -j lukegb-fwd-accept + + # Accept from established/related connections. + ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept + + # Set up the firewall. + ip46tables -A lukegb-forward -j lukegb-fwd-reject + ip46tables -A FORWARD -j lukegb-forward + ''; }; my.ip.tailscale = "100.111.191.21";