From 6d686cd27db09fc1a9239dd64a41826930da37c4 Mon Sep 17 00:00:00 2001 From: iFargle Date: Wed, 6 Dec 2023 16:50:18 +0900 Subject: [PATCH] Testing xinetd again --- nixos/hosts/osaka-linode-01/default.nix | 1 + nixos/hosts/osaka-linode-01/xinetd.nix | 185 ++++++++++++++++++++++++ 2 files changed, 186 insertions(+) create mode 100644 nixos/hosts/osaka-linode-01/xinetd.nix diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index 35cc6e8d..5ee7407c 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -2,6 +2,7 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./firewall.nix + ./xinetd.nix ./wireguard.nix ]; diff --git a/nixos/hosts/osaka-linode-01/xinetd.nix b/nixos/hosts/osaka-linode-01/xinetd.nix new file mode 100644 index 00000000..ddc7bcae --- /dev/null +++ b/nixos/hosts/osaka-linode-01/xinetd.nix @@ -0,0 +1,185 @@ +{ config, lib, pkgs, ... }: { + networking.firewall.allowedUDPPorts = [ + 3478 # Headscale DERP UDP + 10000 # Jitsi + ]; + networking.firewall.allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + 25 # SMTP (explicit TLS => STARTTLS) + 465 # ESMTP (implicit TLS) + 587 # ESMTP (explicit TLS => STARTTLS) + 143 # IMAP4 (explicit TLS => STARTTLS) + 993 # IMAP4 (implicit TLS) + 4190 # Sieve support + 42420 # Vintage Story + 25565 # Minecraft + 1443 # Headscale DERP + 4443 # jitsi-jvb + 5222 # Jitsi + 5347 # Jitsi + 5280 # Jitsi + ]; + networking.firewall.extraCommands = '' + ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2 + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222 + ''; + + networking.firewall.extraCommands = '' + iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # PORT 10000 + iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE + + # PORT 3478 + iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE + ''; + + services.xinetd = { + enable = false; + services = [ + { + name = "http"; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 80"; + } + { + name = "https"; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 443"; + } + { + name = "jitsi-jvb 4443 tcp"; + port = 4443; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 4443"; + } + { + name = "jitsi-jvb 5222 tcp"; + port = 5222; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 5222"; + } + { + name = "jitsi-jvb 5347 tcp"; + port = 5347; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 5347"; + } + { + name = "jitsi-jvb 5280 tcp"; + port = 5280; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 5280"; + } + { + name = "minecraft"; + port = 25565; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 25565"; + } + { + name = "vintage-story"; + port = 42420; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 42420"; + } + + ################################################ mail + { + name = "mail 25"; + port = 25; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 25"; + } + { + name = "mail 465"; + port = 465; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 465"; + } + { + name = "mail 587"; + port = 587; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 587"; + } + { + name = "mail 143"; + port = 143; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 143"; + } + { + name = "mail 993"; + port = 993; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 993"; + } + { + name = "mail 4190"; + port = 4190; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 4190"; + } + ################################################ mail + ################################################ headscale-derp + { + name = "headscale-derp 3478 udp"; + port = 3478; + protocol = "udp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 3478"; + } + { + name = "headscale-derp 1443 tcp"; + port = 1443; + protocol = "tcp"; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 1443"; + } + { + name = "piaware"; + port = 8080; + unlisted = true; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = piaware-rpi4 8080"; + } + # { + # name = "ssh"; + # port = 2282; + # unlisted = true; + # server = "/usr/bin/env"; # Placeholder. + # extraConfig = "redirect = 10.100.0.2 22"; + # } + ]; + }; +} \ No newline at end of file