From 1f930f6e1d68d0fb3d2fa0a912c8211a194f2845 Mon Sep 17 00:00:00 2001
From: RootHost-Stormwind <RootHost-Stormwind@ze.mawtrixx.net>
Date: Tue, 5 Aug 2025 10:39:28 +0200
Subject: [PATCH] natting for mqtt

---
 networking.nix | 43 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 6 deletions(-)

diff --git a/networking.nix b/networking.nix
index 638dc65..0b36226 100644
--- a/networking.nix
+++ b/networking.nix
@@ -7,7 +7,7 @@
 
 
     firewall = {
-      allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
+      allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
       allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
       trustedInterfaces = [ "incusbr0" ];
     };
@@ -28,6 +28,26 @@
           iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
           iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
           iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 1883 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 8883 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 9001 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 20 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 21 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 22 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 2223 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 990 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 989 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 445 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 111 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 111 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 2049 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 2049 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 32765 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 32765 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 32768 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 32768 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 20048 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" udp dport 20048 ct state new,established accept
         }
       }
     '';
@@ -76,6 +96,22 @@
           proto = "tcp";
           destination = "10.46.32.2:443";
         }
+        # MQTT
+        {
+          sourcePort = 1883;
+          proto = "tcp";
+          destination = "10.46.32.153:1883";
+        }
+        {
+          sourcePort = 8883;
+          proto = "tcp";
+          destination = "10.46.32.153:8883";
+        }
+        {
+          sourcePort = 9001;
+          proto = "tcp";
+          destination = "10.46.32.153:9001";
+        }
         # FTP
         {
           sourcePort = 20;
@@ -107,11 +143,6 @@
           proto = "tcp";
           destination = "10.46.32.2:989";
         }
-        {
-          sourcePort = 21;
-          proto = "tcp";
-          destination = "10.46.32.2:21";
-        }
         # SMB
         {
           sourcePort = 445;