{ config, lib, pkgs, ... }: {
networking.firewall.allowedUDPPorts = [
3478 # Headscale DERP UDP
10000 # Jitsi
];
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
25 # SMTP (explicit TLS => STARTTLS)
465 # ESMTP (implicit TLS)
587 # ESMTP (explicit TLS => STARTTLS)
143 # IMAP4 (explicit TLS => STARTTLS)
993 # IMAP4 (implicit TLS)
4190 # Sieve support
42420 # Vintage Story
25565 # Minecraft
1443 # Headscale DERP
4443 # jitsi-jvb
5222 # Jitsi
5347 # Jitsi
5280 # Jitsi
];
networking.firewall.extraCommands = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -i wireguard0 -o ens3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.100.0.2
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wireguard0 -p tcp --dport 80 -d 10.100.0.2 -j SNAT --to-source 10.100.0.1
${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.100.0.2
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wireguard0 -p tcp --dport 443 -d 10.100.0.2 -j SNAT --to-source 10.100.0.1
${pkgs.iptables}/bin/iptables -A FORWARD -i ens3 -o wireguard0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT
'';
services.xinetd = {
enable = false;
services = [
{
name = "http";
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 80";
}
{
name = "https";
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 443";
}
{
name = "jitsi-jvb 4443 tcp";
port = 4443;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 4443";
}
{
name = "jitsi-jvb 5222 tcp";
port = 5222;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 5222";
}
{
name = "jitsi-jvb 5347 tcp";
port = 5347;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 5347";
}
{
name = "jitsi-jvb 5280 tcp";
port = 5280;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 5280";
}
{
name = "minecraft";
port = 25565;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 25565";
}
{
name = "vintage-story";
port = 42420;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 42420";
}
################################################ mail
{
name = "mail 25";
port = 25;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 25";
}
{
name = "mail 465";
port = 465;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 465";
}
{
name = "mail 587";
port = 587;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 587";
}
{
name = "mail 143";
port = 143;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 143";
}
{
name = "mail 993";
port = 993;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 993";
}
{
name = "mail 4190";
port = 4190;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 4190";
}
################################################ mail
################################################ headscale-derp
{
name = "headscale-derp 3478 udp";
port = 3478;
protocol = "udp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 3478";
}
{
name = "headscale-derp 1443 tcp";
port = 1443;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 1443";
}
{
name = "piaware";
port = 8080;
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = piaware-rpi4 8080";
}
# {
# name = "ssh";
# port = 2282;
# unlisted = true;
# server = "/usr/bin/env"; # Placeholder.
# extraConfig = "redirect = 10.100.0.2 22";
# }
];
};
}