From 940b295c17836b35669c8b918215c7dffd5150e7 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 28 Dec 2023 13:56:57 +0100 Subject: [PATCH] router0-dmz0: expose a DMZ host --- nix/os/devices/router0-dmz0/configuration.nix | 30 +++++++++++++++++-- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 98bc922..5c90210 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -173,9 +173,26 @@ in { # https://github.com/thelegy/nixos-nftables-firewall/tree/main # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) - nftables = { + nftables = + { enable = true; stopRuleset = ""; + + chains = { + prerouting = { + "redirectweb" = { + after = ["hook"]; + rules = let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + exposedHost = "192.168.22.121"; + in [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" + ]; + }; + }; + }; + firewall = { enable = true; zones = { @@ -260,6 +277,12 @@ in { verdict = "accept"; }; + wan-to-dmz = { + from = ["wan"]; + to = ["dmz"]; + verdict = "accept"; + }; + wan-to-fw = { from = ["wan"]; to = ["fw"]; @@ -740,8 +763,9 @@ in { proxy-dnssec = true; conntrack = true; - log-debug = true; - log-queries = true; + # enable for debugging + # log-debug = true; + # log-queries = true; # disable negative caching no-negcache = true;