summaryrefslogtreecommitdiffstats
path: root/tv/3modules/iptables.nix
diff options
context:
space:
mode:
Diffstat (limited to 'tv/3modules/iptables.nix')
-rw-r--r--tv/3modules/iptables.nix208
1 files changed, 0 insertions, 208 deletions
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
deleted file mode 100644
index 5b36c5acb..000000000
--- a/tv/3modules/iptables.nix
+++ /dev/null
@@ -1,208 +0,0 @@
-with import ./lib;
-{ config, pkgs, ... }: let {
- cfg = config.tv.iptables;
-
- body = {
- options.tv.iptables = api;
- config = lib.mkIf cfg.enable imp;
- };
-
- extraTypes = {
- rules = types.submodule {
- options = {
- nat.OUTPUT = mkOption {
- type = with types; listOf str;
- default = [];
- };
- nat.PREROUTING = mkOption {
- type = with types; listOf str;
- default = [];
- };
- nat.POSTROUTING = mkOption {
- type = with types; listOf str;
- default = [];
- };
- filter.FORWARD = mkOption {
- type = with types; listOf str;
- default = [];
- };
- filter.INPUT = mkOption {
- type = with types; listOf str;
- default = [];
- };
- filter.Retiolum = mkOption {
- type = with types; listOf str;
- default = [];
- };
- filter.Wiregrill = mkOption {
- type = with types; listOf str;
- default = [];
- };
- };
- };
- };
-
- api = {
- enable = mkEnableOption "tv.iptables";
-
- accept-echo-request = mkOption {
- type = with types; nullOr (enum ["internet" "retiolum"]);
- default = "retiolum";
- };
-
- input-internet-accept-tcp = mkOption {
- type = with types; listOf (either int str);
- default = [];
- };
-
- input-internet-accept-udp = mkOption {
- type = with types; listOf (either int str);
- default = [];
- };
-
- input-retiolum-accept-tcp = mkOption {
- type = with types; listOf (either int str);
- default = [];
- };
-
- input-retiolum-accept-udp = mkOption {
- type = with types; listOf (either int str);
- default = [];
- };
-
- input-wiregrill-accept-tcp = mkOption {
- type = with types; listOf (either int str);
- default = [];
- };
-
- input-wiregrill-accept-udp = mkOption {
- type = with types; listOf (either int str);
- default = [];
- };
-
- extra = mkOption {
- default = {};
- type = extraTypes.rules;
- };
-
- extra4 = mkOption {
- default = {};
- type = extraTypes.rules;
- };
-
- extra6 = mkOption {
- default = {};
- type = extraTypes.rules;
- };
- };
-
- imp = {
- networking.firewall.enable = false;
-
- systemd.services.tv-iptables = {
- wantedBy = [ "sysinit.target" ];
- wants = [ "network-pre.target" ];
- before = [ "network-pre.target" ];
- after = [ "systemd-modules-load.service" ];
-
- path = with pkgs; [
- iptables
- ];
-
- restartIfChanged = true;
-
- serviceConfig = {
- Type = "simple";
- RemainAfterExit = true;
- Restart = "always";
- SyslogIdentifier = "tv-iptables_start";
- ExecStart = pkgs.writeDash "tv-iptables_start" ''
- set -euf
- iptables-restore < ${rules 4}
- ip6tables-restore < ${rules 6}
- '';
- };
-
- unitConfig.DefaultDependencies = false;
- };
- };
-
- formatTable = table:
- (concatStringsSep "\n"
- (mapAttrsToList
- (chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
- table));
-
- rules = iptables-version: let
- accept-echo-request = {
- ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
- ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
- }."ip${toString iptables-version}tables";
- accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
- accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
- in
- pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- ${formatTable cfg."extra${toString iptables-version}".nat}
- ${formatTable cfg.extra.nat}
- COMMIT
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :Retiolum - [0:0]
- :Wiregrill - [0:0]
- ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
- ++ [
- "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
- "-i lo -j ACCEPT"
- ]
- ++ optional (cfg.accept-echo-request == "internet") accept-echo-request
- ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
- ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
- ++ ["-i retiolum -j Retiolum"]
- ++ ["-i wiregrill -j Wiregrill"]
- )}
- ${formatTable cfg.extra.filter}
- ${formatTable cfg."extra${toString iptables-version}".filter}
- ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
- ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
- ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
- ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
- ++ {
- ip4tables = [
- "-p tcp -j REJECT --reject-with tcp-reset"
- "-p udp -j REJECT --reject-with icmp-port-unreachable"
- "-j REJECT --reject-with icmp-proto-unreachable"
- ];
- ip6tables = [
- "-p tcp -j REJECT --reject-with tcp-reset"
- "-p udp -j REJECT --reject-with icmp6-port-unreachable"
- "-j REJECT"
- ];
- }."ip${toString iptables-version}tables"
- )}
- ${concatMapStringsSep "\n" (rule: "-A Wiregrill ${rule}") ([]
- ++ optional (cfg.accept-echo-request == "wiregrill") accept-echo-request
- ++ map accept-tcp (unique (map toString cfg.input-wiregrill-accept-tcp))
- ++ map accept-udp (unique (map toString cfg.input-wiregrill-accept-udp))
- ++ {
- ip4tables = [
- "-p tcp -j REJECT --reject-with tcp-reset"
- "-p udp -j REJECT --reject-with icmp-port-unreachable"
- "-j REJECT --reject-with icmp-proto-unreachable"
- ];
- ip6tables = [
- "-p tcp -j REJECT --reject-with tcp-reset"
- "-p udp -j REJECT --reject-with icmp6-port-unreachable"
- "-j REJECT"
- ];
- }."ip${toString iptables-version}tables"
- )}
- COMMIT
- '';
-}