diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2009-07-24 23:12:52 +0000 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2009-07-24 23:12:52 +0000 |
commit | 264b49fce76b52fce46daafdcc706d3d85dd40b0 (patch) | |
tree | 81539aee5d919168006b2e9dcff7d82eac720822 /modules/services/networking/firewall.nix | |
parent | 38d594deecfc092821044ee5f31bc9b61e754447 (diff) | |
download | nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.tar nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.tar.gz nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.tar.bz2 nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.tar.lz nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.tar.xz nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.tar.zst nixpkgs-264b49fce76b52fce46daafdcc706d3d85dd40b0.zip |
* A very basic firewall that rejects all incoming connections except
for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
Diffstat (limited to 'modules/services/networking/firewall.nix')
-rw-r--r-- | modules/services/networking/firewall.nix | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix new file mode 100644 index 00000000000..a6a5f8fec2b --- /dev/null +++ b/modules/services/networking/firewall.nix @@ -0,0 +1,70 @@ +{pkgs, config, ...}: + +let + + iptables = "${pkgs.iptables}/sbin/iptables"; + +in + +{ + + ###### interface + + options = { + + networking.firewall.allowedTCPPorts = pkgs.lib.mkOption { + default = []; + example = [22 80]; + type = pkgs.lib.types.list pkgs.lib.types.int; + description = + '' + List of TCP ports on which incoming connections are + accepted. + ''; + }; + + }; + + + ###### implementation + + config = { + + environment.systemPackages = [pkgs.iptables]; + + jobs = pkgs.lib.singleton + { name = "firewall"; + + preStart = + '' + ${iptables} -F + + # Accept all traffic on the loopback interface. + ${iptables} -A INPUT -i lo -j ACCEPT + + # Accept packets from established or related connections. + ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # Accept connections to the allowed TCP ports. + ${pkgs.lib.concatMapStrings (port: + '' + ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT + '' + ) config.networking.firewall.allowedTCPPorts + } + + # Drop everything else. + ${iptables} -A INPUT -j DROP + ''; + + postStop = + '' + ${iptables} -F + ''; + }; + + networking.firewall.allowedTCPPorts = [22]; + + }; + +} |