leonetienne/stormwind-nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8c19d07766509ee21ac1b483e680f5fa1dc6a822
stormwind-nixfiles/networking.nix
RootHost-Stormwind 964131901a cleanup network config
2025-07-31 09:03:13 +02:00

177 lines
4.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, ... }:
{
networking = {
hostName = "Stormwind";
networkmanager.enable = false;
firewall = {
allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
trustedInterfaces = [ "incusbr0" ];
};
# heres the custom nftables filter ruleset for forwarded traffic:
nftables.ruleset = ''
table ip filter {
chain forward {
type filter hook forward priority 0; policy drop;
# allow established/related replies
ct state established,related accept
# allow new+established VMInternet
iifname "incusbr0" oifname "enp4s0" ct state new,established accept
iifname "incusbr1" oifname "enp4s0" ct state new,established accept
# allow natted replies
iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
}
}
'';
bridges = {
incusbr0 = {
interfaces = [];
};
incusbr1 = {
interfaces = [];
};
};
interfaces = {
incusbr0 = {
ipv4.addresses = [
{ address = "10.46.32.1"; prefixLength = 24; }
];
};
incusbr1 = {
ipv4.addresses = [
{ address = "10.46.33.1"; prefixLength = 24; }
];
};
};
nat = {
enable = true;
internalInterfaces = [ "incusbr0" "incusbr1" ];
externalInterface = "enp4s0";
forwardPorts = [
# Web-UI for home-assistant
{
sourcePort = 8123;
proto = "tcp";
destination = "10.46.32.153:8123";
}
# Web-UI for nas
{
sourcePort = 80;
proto = "tcp";
destination = "10.46.32.2:80";
}
{
sourcePort = 443;
proto = "tcp";
destination = "10.46.32.2:443";
}
# FTP
{
sourcePort = 20;
proto = "tcp";
destination = "10.46.32.2:20";
}
{
sourcePort = 21;
proto = "tcp";
destination = "10.46.32.2:21";
}
{
sourcePort = 22;
proto = "tcp";
destination = "10.46.32.2:22";
}
{
sourcePort = 2223;
proto = "tcp";
destination = "10.46.32.2:2223";
}
{
sourcePort = 990;
proto = "tcp";
destination = "10.46.32.2:990";
}
{
sourcePort = 989;
proto = "tcp";
destination = "10.46.32.2:989";
}
{
sourcePort = 21;
proto = "tcp";
destination = "10.46.32.2:21";
}
# SMB
{
sourcePort = 445;
proto = "tcp";
destination = "10.46.32.2:445";
}
# NFS
{
sourcePort = 111;
proto = "tcp";
destination = "10.46.32.2:111";
}
{
sourcePort = 111;
proto = "udp";
destination = "10.46.32.2:111";
}
{
sourcePort = 2049;
proto = "tcp";
destination = "10.46.32.2:2049";
}
{
sourcePort = 2049;
proto = "udp";
destination = "10.46.32.2:2049";
}
{
sourcePort = 32765;
proto = "tcp";
destination = "10.46.32.2:32765";
}
{
sourcePort = 32765;
proto = "udp";
destination = "10.46.32.2:32765";
}
{
sourcePort = 32768;
proto = "tcp";
destination = "10.46.32.2:32768";
}
{
sourcePort = 32768;
proto = "udp";
destination = "10.46.32.2:32768";
}
{
sourcePort = 20048;
proto = "tcp";
destination = "10.46.32.2:20048";
}
{
sourcePort = 20048;
proto = "udp";
destination = "10.46.32.2:20048";
}
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink