xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

clean up wireguard firewall

Browse source
This commit is contained in:
xunuwu 2025-06-01 21:00:06 +02:00
parent 41e84a51e4
commit 04eb8b5ff6
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
1 changed files with 14 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

46
sys/machines/rackserv/wireguard-server.nix
View file

@ -34,18 +34,24 @@
allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port)); allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port));
extraCommands = extraCommands =
portsAndIpsList portsAndIpsList
|> map (x: '' |> map (x:
${x.protocols |> map (protocol: "iptables -t nat -A PREROUTING -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"} x.protocols
${x.protocols |> map (protocol: "iptables -t nat -A POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"} |> map (protocol: ''
'') iptables -t nat -A PREROUTING -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}
iptables -t nat -A POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19
''))
|> b.concatLists
|> b.concatStringsSep "\n"; |> b.concatStringsSep "\n";
extraStopCommands = extraStopCommands =
portsAndIpsList portsAndIpsList
|> map (x: '' |> map (x:
${x.protocols |> map (protocol: "iptables -t nat -D PREROUTING -t nat -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"} x.protocols
${x.protocols |> map (protocol: "iptables -t nat -D POSTROUTING -t nat -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"} |> map (protocol: ''
'') iptables -t nat -D PREROUTING -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp} || true
iptables -t nat -D POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19 || true
''))
|> b.concatLists
|> b.concatStringsSep "\n"; |> b.concatStringsSep "\n";
interfaces.wg0 = { interfaces.wg0 = {
@ -104,28 +110,4 @@
bind-interfaces = true; bind-interfaces = true;
}; };
}; };
# networking.wireguard = {
# enable = true;
# interfaces.wg0 = {
# ips = ["10.0.0.0/10"];
# listenPort = 51820;
# postSetup = ''
# ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
# '';
# postShutdown = ''
# ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
# '';
#
# privateKeyFile = config.sops.secrets.wireguard-privatekey.path;
#
# peers = [
# {
# # hopper
# publicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
# allowedIPs = ["10.0.0.1/32"];
# }
# ];
# };
# };
} }