etheroute-lon01: stateful firewall for forwarded packets
This commit is contained in:
parent
81b19971d1
commit
b6e4741320
1 changed files with 27 additions and 0 deletions
|
@ -141,6 +141,33 @@ in {
|
||||||
virtual = true;
|
virtual = true;
|
||||||
};
|
};
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
firewall.extraCommands = ''
|
||||||
|
# Flush old rules.
|
||||||
|
ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true
|
||||||
|
for chain in lukegb-forward lukegb-fwd-accept lukegb-fwd-reject; do
|
||||||
|
ip46tables -F "$chain" 2>/dev/null || true
|
||||||
|
ip46tables -X "$chain" 2>/dev/null || true
|
||||||
|
done
|
||||||
|
|
||||||
|
ip46tables -N lukegb-fwd-accept
|
||||||
|
ip46tables -A lukegb-fwd-accept -j ACCEPT
|
||||||
|
|
||||||
|
ip46tables -N lukegb-fwd-reject
|
||||||
|
ip46tables -A lukegb-fwd-reject -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||||
|
ip46tables -A lukegb-fwd-reject -j REJECT
|
||||||
|
|
||||||
|
ip46tables -N lukegb-forward
|
||||||
|
|
||||||
|
# Accept from "trusted" quadv1-4 interface
|
||||||
|
ip46tables -A lukegb-forward -i quadv1-4 -j lukegb-fwd-accept
|
||||||
|
|
||||||
|
# Accept from established/related connections.
|
||||||
|
ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept
|
||||||
|
|
||||||
|
# Set up the firewall.
|
||||||
|
ip46tables -A lukegb-forward -j lukegb-fwd-reject
|
||||||
|
ip46tables -A FORWARD -j lukegb-forward
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
my.ip.tailscale = "100.111.191.21";
|
my.ip.tailscale = "100.111.191.21";
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue