{ config, lib, pkgs, ... }: { networking.firewall.allowedUDPPorts = [ 3478 # Headscale DERP UDP 10000 # Jitsi ]; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 25 # SMTP (explicit TLS => STARTTLS) 465 # ESMTP (implicit TLS) 587 # ESMTP (explicit TLS => STARTTLS) 143 # IMAP4 (explicit TLS => STARTTLS) 993 # IMAP4 (implicit TLS) 4190 # Sieve support 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP 4443 # jitsi-jvb 5222 # Jitsi 5347 # Jitsi 5280 # Jitsi ]; networking.firewall.extraCommands = '' iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2 iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # PORT 10000 iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2 iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE # PORT 3478 iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2 iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE ''; services.xinetd = { enable = false; services = [ { name = "http"; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 80"; } { name = "https"; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 443"; } { name = "jitsi-jvb 4443 tcp"; port = 4443; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 4443"; } { name = "jitsi-jvb 5222 tcp"; port = 5222; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 5222"; } { name = "jitsi-jvb 5347 tcp"; port = 5347; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 5347"; } { name = "jitsi-jvb 5280 tcp"; port = 5280; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 5280"; } { name = "minecraft"; port = 25565; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 25565"; } { name = "vintage-story"; port = 42420; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 42420"; } ################################################ mail { name = "mail 25"; port = 25; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 25"; } { name = "mail 465"; port = 465; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 465"; } { name = "mail 587"; port = 587; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 587"; } { name = "mail 143"; port = 143; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 143"; } { name = "mail 993"; port = 993; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 993"; } { name = "mail 4190"; port = 4190; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 4190"; } ################################################ mail ################################################ headscale-derp { name = "headscale-derp 3478 udp"; port = 3478; protocol = "udp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 3478"; } { name = "headscale-derp 1443 tcp"; port = 1443; protocol = "tcp"; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = 10.100.0.2 1443"; } { name = "piaware"; port = 8080; unlisted = true; server = "/usr/bin/env"; # Placeholder. extraConfig = "redirect = piaware-rpi4 8080"; } # { # name = "ssh"; # port = 2282; # unlisted = true; # server = "/usr/bin/env"; # Placeholder. # extraConfig = "redirect = 10.100.0.2 22"; # } ]; }; }