{ config, lib, pkgs, ... }: {
networking.firewall.allowedUDPPorts = [
3478 # Headscale DERP UDP
10000 # Jitsi
];
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
25 # SMTP (explicit TLS => STARTTLS)
465 # ESMTP (implicit TLS)
587 # ESMTP (explicit TLS => STARTTLS)
143 # IMAP4 (explicit TLS => STARTTLS)
993 # IMAP4 (implicit TLS)
4190 # Sieve support
42420 # Vintage Story
25565 # Minecraft
1443 # Headscale DERP
4443 # jitsi-jvb
5222 # Jitsi
5347 # Jitsi
5280 # Jitsi
];
networking.firewall.extraCommands = ''
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# TCP PORTS ##################################################################################################
# PORT 80
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
# PORT 443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
# PORT 25
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
# PORT 465
iptables -t nat -A PREROUTING -p tcp --dport 465 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 465 -j MASQUERADE
# PORT 587
iptables -t nat -A PREROUTING -p tcp --dport 587 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 587 -j MASQUERADE
# PORT 143
iptables -t nat -A PREROUTING -p tcp --dport 143 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 143 -j MASQUERADE
# PORT 993
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 993 -j MASQUERADE
# PORT 4190
iptables -t nat -A PREROUTING -p tcp --dport 4190 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 4190 -j MASQUERADE
# PORT 42420
iptables -t nat -A PREROUTING -p tcp --dport 42420 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 42420 -j MASQUERADE
# PORT 25565
iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 25565 -j MASQUERADE
# PORT 1443
iptables -t nat -A PREROUTING -p tcp --dport 1443 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 1443 -j MASQUERADE
# PORT 4443
iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
# PORT 5222
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
# PORT 5347
iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
# PORT 5280
iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
# UDP PORTS ##################################################################################################
# PORT 10000
iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE
# PORT 3478
iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE
'';
}