diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index 60605f7e..21f4dcfd 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -1,66 +1,68 @@ { config, lib, pkgs, ... }: { networking.firewall.allowedUDPPorts = [ 3478 # Headscale DERP UDP - 10000 # Jitsi ]; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPS - # 25 # SMTP (explicit TLS => STARTTLS) - # 465 # ESMTP (implicit TLS) - # 587 # ESMTP (explicit TLS => STARTTLS) - # 143 # IMAP4 (explicit TLS => STARTTLS) - # 993 # IMAP4 (implicit TLS) - # 4190 # Sieve support 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP - # 4443 # jitsi-jvb - # 5222 # Jitsi - # 5347 # Jitsi - # 5280 # Jitsi ]; - networking.nat = { - enable = true; - internalInterfaces = [ "enp0s4" ]; - externalInterface = "wireguard0" - forwardPorts = [ - { # Headscale DERP UDP - destination = "10.100.0.2:3478"; - proto = "udp"; - sourcePort = 3478; - } - { # Jitsi - destination = "10.100.0.2:10000"; - proto = "udp"; - sourcePort = 10000; - } - { # HTTP - destination = "10.100.0.2:80"; - proto = "tcp"; - sourcePort = 80; - } - { # HTTPS - destination = "10.100.0.2:443"; - proto = "tcp"; - sourcePort = 443; - } - { # Vintage Story - destination = "10.100.0.2:42420"; - proto = "tcp"; - sourcePort = 42420; - } - { # Minecraft - destination = "10.100.0.2:25565"; - proto = "tcp"; - sourcePort = 25565; - } - { # Headscale DERP TCP - destination = "10.100.0.2:1443"; - proto = "tcp"; - sourcePort = 1443; - } - ]; + networking = { + nftables = { + enable = true; + ruleset = '' + table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + iifname "enp0s4" tcp dport 80 dnat to 10.100.0.2:80 # HTTP + iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443 # HTTPS + iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420 # Vintage Story + iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565 # Minecraft + iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443 # Headscale DERP (tcp) + iifname "enp0s4" tcp dport 3478 dnat to 10.100.0.2:3478 # Headscale DERP (udp) + } + } + ''; + }; + nat = { + enable = true; + internalInterfaces = [ "wireguard0" ]; + externalInterface = "enp0s4"; + forwardPorts = [ + { # Headscale DERP UDP + destination = "10.100.0.2:3478"; + proto = "udp"; + sourcePort = 3478; + } + { # HTTP + destination = "10.100.0.2:80"; + proto = "tcp"; + sourcePort = 80; + } + { # HTTPS + destination = "10.100.0.2:443"; + proto = "tcp"; + sourcePort = 443; + } + { # Vintage Story + destination = "10.100.0.2:42420"; + proto = "tcp"; + sourcePort = 42420; + } + { # Minecraft + destination = "10.100.0.2:25565"; + proto = "tcp"; + sourcePort = 25565; + } + { # Headscale DERP TCP + destination = "10.100.0.2:1443"; + proto = "tcp"; + sourcePort = 1443; + } + ]; + }; }; } \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix index 27fd3984..13f93e92 100644 --- a/nixos/hosts/osaka-linode-01/wireguard.nix +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -7,6 +7,7 @@ 10.100.0.2 git.sysctl.io 10.100.0.2 loki.sysctl.io + 10.100.0.2 influx.sysctl.io 10.100.0.2 telegraf.sysctl.io 10.100.0.2 headscale.sysctl.io ''; @@ -52,10 +53,4 @@ }; }; }; - - networking.nat = { - enable = true; - internalInterfaces = [ "wireguard0" ]; - externalInterface = "enp0s4"; - }; } \ No newline at end of file