* A very basic firewall that rejects all incoming connections except

  for the ports defined in networking.firewall.allowedTCPPorts.

svn path=/nixos/branches/modular-nixos/; revision=16460

1 files changed, 70 insertions, 0 deletions

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
new file mode 100644
index 00000000000..a6a5f8fec2b
--- /dev/null
+++ b/modules/services/networking/firewall.nix
@@ -0,0 +1,70 @@
+{pkgs, config, ...}:
+
+let
+
+  iptables = "${pkgs.iptables}/sbin/iptables";
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+  
+    networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
+      default = [];
+      example = [22 80];
+      type = pkgs.lib.types.list pkgs.lib.types.int;
+      description =
+        ''
+          List of TCP ports on which incoming connections are
+          accepted.
+        '';
+    };
+  
+  };
+
+
+  ###### implementation
+  
+  config = {
+
+    environment.systemPackages = [pkgs.iptables];
+
+    jobs = pkgs.lib.singleton
+      { name = "firewall";
+
+        preStart =
+          ''
+            ${iptables} -F
+
+            # Accept all traffic on the loopback interface.
+            ${iptables} -A INPUT -i lo -j ACCEPT
+
+            # Accept packets from established or related connections.
+            ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+            # Accept connections to the allowed TCP ports.            
+            ${pkgs.lib.concatMapStrings (port:
+                ''
+                  ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
+                ''
+              ) config.networking.firewall.allowedTCPPorts
+            }
+
+            # Drop everything else.              
+            ${iptables} -A INPUT -j DROP
+          '';
+
+        postStop =
+          ''
+            ${iptables} -F
+          '';     
+      };
+
+    networking.firewall.allowedTCPPorts = [22];
+    
+  };
+
+}