From 7f1abe50ce0989d96c3d275a4d0481962848714f Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 18 Feb 2016 00:50:10 +0100
Subject: xu-qemu0 host: setup iptables

---
 tv/2configs/xu-qemu0.nix | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'tv/2configs/xu-qemu0.nix')

diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
index 2b67a8b8..5be4899c 100644
--- a/tv/2configs/xu-qemu0.nix
+++ b/tv/2configs/xu-qemu0.nix
@@ -15,17 +15,23 @@ in
 #
 #   make [install] system=xu-qemu0 target_host=10.56.0.101
 
-# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
-# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
-# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT
-# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
-
 with config.krebs.lib;
 
 {
   networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
 
+  tv.iptables.extra = {
+    nat.POSTROUTING = ["-j MASQUERADE"];
+    filter.FORWARD = [
+      "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
+    ];
+    filter.INPUT = [
+      "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
+      "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
+    ];
+  };
+
   systemd.network.enable = true;
   systemd.services.systemd-networkd-wait-online.enable = false;
 
-- 
cgit v1.2.3