{ config, lib, pkgs, ... }: {
networking.firewall.allowedUDPPorts = [
3478 # Headscale DERP UDP
10000 # Jitsi
];
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
25 # SMTP (explicit TLS => STARTTLS)
465 # ESMTP (implicit TLS)
587 # ESMTP (explicit TLS => STARTTLS)
143 # IMAP4 (explicit TLS => STARTTLS)
993 # IMAP4 (implicit TLS)
4190 # Sieve support
42420 # Vintage Story
25565 # Minecraft
1443 # Headscale DERP
4443 # jitsi-jvb
5222 # Jitsi
5347 # Jitsi
5280 # Jitsi
];
networking.firewall.extraCommands = ''
iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# PORT 10000
iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE
# PORT 3478
iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE
# PORT 4443
iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
# PORT 5222
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
# PORT 5347
iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
# PORT 5280
iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
'';
services.xinetd = {
enable = true;
services = [
{
name = "http";
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 80";
}
{
name = "https";
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 443";
}
{
name = "minecraft";
port = 25565;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 25565";
}
{
name = "vintage-story";
port = 42420;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 42420";
}
################################################ mail
{
name = "mail 25";
port = 25;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 25";
}
{
name = "mail 465";
port = 465;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 465";
}
{
name = "mail 587";
port = 587;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 587";
}
{
name = "mail 143";
port = 143;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 143";
}
{
name = "mail 993";
port = 993;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 993";
}
{
name = "mail 4190";
port = 4190;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 4190";
}
################################################ /mail
];
};
}