From 02c1f8d2703aa03e41adcd5aec0d3ec402bbb367 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 7 Feb 2016 03:09:14 +0100 Subject: tv: accept internet echo requests --- tv/3modules/iptables.nix | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'tv/3modules/iptables.nix') diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index cbf49f577..9d5b5d075 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -13,6 +13,11 @@ let api = { enable = mkEnableOption "tv.iptables"; + accept-echo-request = mkOption { + type = with types; nullOr (enum ["internet" "retiolum"]); + default = "retiolum"; + }; + input-internet-accept-new-tcp = mkOption { type = with types; listOf (either int str); default = []; @@ -49,10 +54,14 @@ let }; - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; - - rules = iptables-version: + rules = iptables-version: let + accept-echo-request = { + ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"; + ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"; + }."ip${toString iptables-version}tables"; + accept-new-tcp = port: + "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + in pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' *nat :PREROUTING ACCEPT [0:0] @@ -76,18 +85,12 @@ let "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "-i lo -j ACCEPT" ] + ++ optional (cfg.accept-echo-request == "internet") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) ++ ["-i retiolum -j Retiolum"] )} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] - ++ { - ip4tables = [ - "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" - ]; - ip6tables = [ - "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" - ]; - }."ip${toString iptables-version}tables" + ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) ++ { ip4tables = [ -- cgit v1.2.3 From 356bb8e0d3f9add02e177a3bdfa9314e1369748e Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 8 Feb 2016 02:19:38 +0100 Subject: tv.iptables: redirect 11423 locally too --- tv/3modules/iptables.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'tv/3modules/iptables.nix') diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index 9d5b5d075..a4ebef44f 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -68,12 +68,13 @@ let :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] - ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] - ++ [ - "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" - "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" - ] - )} + ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [ + "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" + "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ]} + ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [ + "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ]} COMMIT *filter :INPUT DROP [0:0] -- cgit v1.2.3 From 42d2d5de77590e7d6c421a3f7d80126f34646750 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 8 Feb 2016 03:40:41 +0100 Subject: tv.iptables: inline startScript and use SyslogIdentifier --- tv/3modules/iptables.nix | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'tv/3modules/iptables.nix') diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index a4ebef44f..4924db4f3 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -48,7 +48,12 @@ let Type = "simple"; RemainAfterExit = true; Restart = "always"; - ExecStart = "@${startScript} tv-iptables_start"; + SyslogIdentifier = "tv-iptables_start"; + ExecStart = pkgs.writeDash "tv-iptables_start" '' + set -euf + iptables-restore < ${rules 4} + ip6tables-restore < ${rules 6} + ''; }; }; }; @@ -108,16 +113,7 @@ let )} COMMIT ''; - - startScript = pkgs.writeScript "tv-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules 4} - ip6tables-restore < ${rules 6} - ''; - -in -out +in out #let # cfg = config.tv.iptables; -- cgit v1.2.3 From 673853e092c211e26a08030f87f9c868c6442a71 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 14 Feb 2016 16:43:44 +0100 Subject: RIP specialArgs.lib --- tv/3modules/iptables.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'tv/3modules/iptables.nix') diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index 4924db4f3..c0fd7ec12 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -1,13 +1,12 @@ { config, lib, pkgs, ... }: -with builtins; -with lib; +with config.krebs.lib; let cfg = config.tv.iptables; out = { options.tv.iptables = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { -- cgit v1.2.3