Raphaël Numbus
21 lines
852 B
Nix
21 lines
852 B
Nix
{ config, ... }:
|
|
|
|
{
|
|
config = {
|
|
networking.nftables.enable = true;
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowPing = true;
|
|
allowedTCPPorts = [ 53 80 443 ];
|
|
allowedUDPPorts = [ 53 443 ];
|
|
};
|
|
extraCommands = ''
|
|
# Accept HTTPS from podman network
|
|
${pkgs.nftables}/bin/nft add rule inet filter input ip saddr 10.89.0.0/16 tcp dport 443 ct state new,established accept || true
|
|
${pkgs.nftables}/bin/nft add rule inet filter input ip saddr 192.168.11.0/24 tcp dport 443 ct state new,established accept || true
|
|
${pkgs.nftables}/bin/nft add rule inet filter input ip saddr 192.168.27.0/24 tcp dport 443 ct state new,established accept || true
|
|
# Accept established responses
|
|
${pkgs.nftables}/bin/nft add rule inet filter input ct state established,related accept || true
|
|
'';
|
|
};
|
|
} |