etheroute-lon01: stateful firewall for forwarded packets

This commit is contained in:
Luke Granger-Brown 2021-12-07 17:25:59 +00:00
parent 81b19971d1
commit b6e4741320

View file

@ -141,6 +141,33 @@ in {
virtual = true;
};
firewall.allowedTCPPorts = [ 80 443 ];
firewall.extraCommands = ''
# Flush old rules.
ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true
for chain in lukegb-forward lukegb-fwd-accept lukegb-fwd-reject; do
ip46tables -F "$chain" 2>/dev/null || true
ip46tables -X "$chain" 2>/dev/null || true
done
ip46tables -N lukegb-fwd-accept
ip46tables -A lukegb-fwd-accept -j ACCEPT
ip46tables -N lukegb-fwd-reject
ip46tables -A lukegb-fwd-reject -p tcp ! --syn -j REJECT --reject-with tcp-reset
ip46tables -A lukegb-fwd-reject -j REJECT
ip46tables -N lukegb-forward
# Accept from "trusted" quadv1-4 interface
ip46tables -A lukegb-forward -i quadv1-4 -j lukegb-fwd-accept
# Accept from established/related connections.
ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept
# Set up the firewall.
ip46tables -A lukegb-forward -j lukegb-fwd-reject
ip46tables -A FORWARD -j lukegb-forward
'';
};
my.ip.tailscale = "100.111.191.21";