Test

2023-12-21 15:52:18 +09:00 · 2023-12-21 15:52:18 +09:00 · a43916363d
commit a43916363d
parent e479733676
2 changed files with 55 additions and 58 deletions
--- a/nixos/hosts/osaka-linode-01/firewall.nix
+++ b/nixos/hosts/osaka-linode-01/firewall.nix
@ -1,66 +1,68 @@
 { config, lib, pkgs, ... }: {
  networking.firewall.allowedUDPPorts = [
    3478  # Headscale DERP UDP
    10000 # Jitsi
  ];
  networking.firewall.allowedTCPPorts = [
    80    # HTTP
    443   # HTTPS
    # 25    # SMTP  (explicit TLS => STARTTLS)
    # 465   # ESMTP (implicit TLS)
    # 587   # ESMTP (explicit TLS => STARTTLS)
    # 143   # IMAP4 (explicit TLS => STARTTLS)
    # 993   # IMAP4 (implicit TLS)
    # 4190  # Sieve support
    42420 # Vintage Story
    25565 # Minecraft
    1443  # Headscale DERP
    # 4443  # jitsi-jvb
    # 5222  # Jitsi
    # 5347  # Jitsi
    # 5280  # Jitsi
  ];
-  networking.nat = {
+  networking = {
-    enable = true;
+    nftables = {
-    internalInterfaces = [ "enp0s4" ];
+      enable = true;
-    externalInterface = "wireguard0"
+      ruleset = ''
-    forwardPorts =  [
+          table ip nat {
-      { # Headscale DERP UDP
+            chain PREROUTING {
-        destination = "10.100.0.2:3478";
+              type nat hook prerouting priority dstnat; policy accept;
-        proto = "udp";
+              iifname "enp0s4" tcp dport 80    dnat to 10.100.0.2:80    # HTTP
-        sourcePort = 3478;
+              iifname "enp0s4" tcp dport 443   dnat to 10.100.0.2:443   # HTTPS
-      }
+              iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420 # Vintage Story
-      { # Jitsi
+              iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565 # Minecraft
-        destination = "10.100.0.2:10000";
+              iifname "enp0s4" tcp dport 1443  dnat to 10.100.0.2:1443  # Headscale DERP (tcp)
-        proto = "udp";
+              iifname "enp0s4" tcp dport 3478  dnat to 10.100.0.2:3478  # Headscale DERP (udp)
-        sourcePort = 10000;
+            }
-      }
+          }
-      { # HTTP
+      '';
-        destination = "10.100.0.2:80";
+    };
-        proto = "tcp";
+    nat = {
-        sourcePort = 80;
+      enable = true;
-      }
+      internalInterfaces = [ "wireguard0" ];
-      { # HTTPS
+      externalInterface = "enp0s4";
-        destination = "10.100.0.2:443";
+      forwardPorts =  [
-        proto = "tcp";
+        { # Headscale DERP UDP
-        sourcePort = 443;
+          destination = "10.100.0.2:3478";
-      }
+          proto = "udp";
-      { # Vintage Story
+          sourcePort = 3478;
-        destination = "10.100.0.2:42420";
+        }
-        proto = "tcp";
+        { # HTTP
-        sourcePort = 42420;
+          destination = "10.100.0.2:80";
-      }
+          proto = "tcp";
-      { # Minecraft
+          sourcePort = 80;
-        destination = "10.100.0.2:25565";
+        }
-        proto = "tcp";
+        { # HTTPS
-        sourcePort = 25565;
+          destination = "10.100.0.2:443";
-      }
+          proto = "tcp";
-      { # Headscale DERP TCP
+          sourcePort = 443;
-        destination = "10.100.0.2:1443";
+        }
-        proto = "tcp";
+        { # Vintage Story
-        sourcePort = 1443;
+          destination = "10.100.0.2:42420";
-      }
+          proto = "tcp";
-    ];
+          sourcePort = 42420;
        }
        { # Minecraft
          destination = "10.100.0.2:25565";
          proto = "tcp";
          sourcePort = 25565;
        }
        { # Headscale DERP TCP
          destination = "10.100.0.2:1443";
          proto = "tcp";
          sourcePort = 1443;
        }
      ];
    };
  };
 }
--- a/nixos/hosts/osaka-linode-01/wireguard.nix
+++ b/nixos/hosts/osaka-linode-01/wireguard.nix
@ -7,6 +7,7 @@
    10.100.0.2 git.sysctl.io
    10.100.0.2 loki.sysctl.io
    10.100.0.2 influx.sysctl.io
    10.100.0.2 telegraf.sysctl.io
    10.100.0.2 headscale.sysctl.io
  '';
@ -52,10 +53,4 @@
      };
    };
  };
  networking.nat = {
    enable = true;
    internalInterfaces =  [ "wireguard0" ];
    externalInterface  = "enp0s4";
  };
 }