natting for mqtt

2025-08-05 10:39:28 +02:00
parent 8c19d07766
commit 1f930f6e1d
1 changed files with 37 additions and 6 deletions
--- a/networking.nix
+++ b/networking.nix
@@ -7,7 +7,7 @@


    firewall = {
-      allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
+      allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
      allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
      trustedInterfaces = [ "incusbr0" ];
    };
@@ -28,6 +28,26 @@
          iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
          iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
          iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 1883 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 8883 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 9001 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 20 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 21 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 22 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 2223 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 990 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 989 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 445 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 111 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 111 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 2049 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 2049 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 32765 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 32765 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 32768 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 32768 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 20048 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 20048 ct state new,established accept
        }
      }
    '';
@@ -76,6 +96,22 @@
          proto = "tcp";
          destination = "10.46.32.2:443";
        }
+        # MQTT
+        {
+          sourcePort = 1883;
+          proto = "tcp";
+          destination = "10.46.32.153:1883";
+        }
+        {
+          sourcePort = 8883;
+          proto = "tcp";
+          destination = "10.46.32.153:8883";
+        }
+        {
+          sourcePort = 9001;
+          proto = "tcp";
+          destination = "10.46.32.153:9001";
+        }
        # FTP
        {
          sourcePort = 20;
@@ -107,11 +143,6 @@
          proto = "tcp";
          destination = "10.46.32.2:989";
        }
-        {
-          sourcePort = 21;
-          proto = "tcp";
-          destination = "10.46.32.2:21";
-        }
        # SMB
        {
          sourcePort = 445;