blob: a6a5f8fec2b95304f20593591a8aad3f4086b03a (
plain) (
tree)
|
|
{pkgs, config, ...}:
let
iptables = "${pkgs.iptables}/sbin/iptables";
in
{
###### interface
options = {
networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
default = [];
example = [22 80];
type = pkgs.lib.types.list pkgs.lib.types.int;
description =
''
List of TCP ports on which incoming connections are
accepted.
'';
};
};
###### implementation
config = {
environment.systemPackages = [pkgs.iptables];
jobs = pkgs.lib.singleton
{ name = "firewall";
preStart =
''
${iptables} -F
# Accept all traffic on the loopback interface.
${iptables} -A INPUT -i lo -j ACCEPT
# Accept packets from established or related connections.
${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept connections to the allowed TCP ports.
${pkgs.lib.concatMapStrings (port:
''
${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
''
) config.networking.firewall.allowedTCPPorts
}
# Drop everything else.
${iptables} -A INPUT -j DROP
'';
postStop =
''
${iptables} -F
'';
};
networking.firewall.allowedTCPPorts = [22];
};
}
|