From 264b49fce76b52fce46daafdcc706d3d85dd40b0 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 24 Jul 2009 23:12:52 +0000 Subject: * A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460 --- modules/services/networking/firewall.nix | 70 ++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 modules/services/networking/firewall.nix (limited to 'modules/services/networking/firewall.nix') diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix new file mode 100644 index 00000000000..a6a5f8fec2b --- /dev/null +++ b/modules/services/networking/firewall.nix @@ -0,0 +1,70 @@ +{pkgs, config, ...}: + +let + + iptables = "${pkgs.iptables}/sbin/iptables"; + +in + +{ + + ###### interface + + options = { + + networking.firewall.allowedTCPPorts = pkgs.lib.mkOption { + default = []; + example = [22 80]; + type = pkgs.lib.types.list pkgs.lib.types.int; + description = + '' + List of TCP ports on which incoming connections are + accepted. + ''; + }; + + }; + + + ###### implementation + + config = { + + environment.systemPackages = [pkgs.iptables]; + + jobs = pkgs.lib.singleton + { name = "firewall"; + + preStart = + '' + ${iptables} -F + + # Accept all traffic on the loopback interface. + ${iptables} -A INPUT -i lo -j ACCEPT + + # Accept packets from established or related connections. + ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # Accept connections to the allowed TCP ports. + ${pkgs.lib.concatMapStrings (port: + '' + ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT + '' + ) config.networking.firewall.allowedTCPPorts + } + + # Drop everything else. + ${iptables} -A INPUT -j DROP + ''; + + postStop = + '' + ${iptables} -F + ''; + }; + + networking.firewall.allowedTCPPorts = [22]; + + }; + +} -- cgit 1.4.1