From 1c331d9bc4b87a25020663977587bafe4adb3ca5 Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Sun, 8 Dec 2024 22:25:43 +0300 Subject: [PATCH] Syncthing: Rework firewall. --- config/Syncthing.nix | 17 ++++++++++++++++- host/x86_64-linux/dasha/Network.nix | 9 +++++++++ host/x86_64-linux/desktop/Network.nix | 14 ++++++++++++++ host/x86_64-linux/home/Network.nix | 19 ++++++------------- host/x86_64-linux/home/default.nix | 1 - host/x86_64-linux/laptop/Network.nix | 9 +++++++++ host/x86_64-linux/pocket/Network.nix | 9 +++++++++ host/x86_64-linux/work/Network.nix | 9 +++++++++ option/Syncthing.nix | 4 ---- system/Firewall.nix | 23 +++++++++++++++++++++-- 10 files changed, 93 insertions(+), 21 deletions(-) create mode 100644 host/x86_64-linux/dasha/Network.nix create mode 100644 host/x86_64-linux/desktop/Network.nix create mode 100644 host/x86_64-linux/laptop/Network.nix create mode 100644 host/x86_64-linux/pocket/Network.nix create mode 100644 host/x86_64-linux/work/Network.nix diff --git a/config/Syncthing.nix b/config/Syncthing.nix index b04c5d0..4bdfc51 100644 --- a/config/Syncthing.nix +++ b/config/Syncthing.nix @@ -2,14 +2,29 @@ config, lib, pkgs, + util, ... }: let cfg = config.module.syncthing; in { config = lib.mkIf cfg.enable { + # CLI tools. environment.systemPackages = with pkgs; [ syncthing ]; + + # Access at sync.lan. + networking.hosts = { "127.0.0.1" = [ "sync.local" ]; }; + services.nginx.enable = true; + services.nginx.virtualHosts."sync.local".extraConfig = util.trimTabs '' + location / { + allow 127.0.0.1; + deny all; + proxy_pass http://127.0.0.1:8384; + } + ''; + services.syncthing = { - inherit (cfg) enable dataDir user group openDefaultPorts; + inherit (cfg) enable dataDir user group; + openDefaultPorts = false; systemService = true; settings = lib.recursiveUpdate cfg.settings { devices = { diff --git a/host/x86_64-linux/dasha/Network.nix b/host/x86_64-linux/dasha/Network.nix new file mode 100644 index 0000000..8d4e836 --- /dev/null +++ b/host/x86_64-linux/dasha/Network.nix @@ -0,0 +1,9 @@ +{ ... }: { + networking = { + firewall.extraCommands = '' + # Ssh access. + iptables -I INPUT -j ACCEPT -s 10.0.0.0/8 -p tcp --dport 22143 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143 + ''; + }; +} diff --git a/host/x86_64-linux/desktop/Network.nix b/host/x86_64-linux/desktop/Network.nix new file mode 100644 index 0000000..bb763fd --- /dev/null +++ b/host/x86_64-linux/desktop/Network.nix @@ -0,0 +1,14 @@ +{ ... }: { + networking = { + firewall.extraCommands = '' + # Ssh access. + iptables -I INPUT -j ACCEPT -s 10.0.0.0/8 -p tcp --dport 22143 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143 + + # Syncthing. + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22000 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p udp --dport 22000 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p udp --dport 21027 + ''; + }; +} diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix index c4226e4..0b10c56 100644 --- a/host/x86_64-linux/home/Network.nix +++ b/host/x86_64-linux/home/Network.nix @@ -13,9 +13,6 @@ lan = "br0"; # Lan interface. wan = "enp8s0"; # Wan interface. in { - # Disable SSH access from everywhere, configure access bellow. - services.openssh.openFirewall = false; - # Disable systemd-resolved for DNS server. services.resolved.enable = false; @@ -155,21 +152,12 @@ in { networkmanager.enable = lib.mkForce false; firewall = { enable = true; - allowPing = true; - rejectPackets = false; # Drop. - - logRefusedConnections = false; - logReversePathDrops = false; - logRefusedPackets = false; - logRefusedUnicastsOnly = true; - extraCommands = util.trimTabs '' # Wan access for 10.0.0.0/8 subnet. iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 0/0 -o ${wan} -j MASQUERADE # Full access from Lan. - iptables -I INPUT -j ACCEPT -i ${lan} - ip6tables -I INPUT -j ACCEPT -i ${lan} + ip46tables -I INPUT -j ACCEPT -i ${lan} # Public email server. ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 25 @@ -194,6 +182,11 @@ in { ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22666 ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 22666 + # Syncthing. + ip6tables -I INPUT -j ACCEPT -i ${lan} -p tcp --dport 22000 + ip6tables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 22000 + ip6tables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 21027 + # Public SSH access. # ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22143 ''; diff --git a/host/x86_64-linux/home/default.nix b/host/x86_64-linux/home/default.nix index 03361de..1440315 100644 --- a/host/x86_64-linux/home/default.nix +++ b/host/x86_64-linux/home/default.nix @@ -16,7 +16,6 @@ syncthing = { enable = true; dataDir = "/storage/hot/sync"; - openDefaultPorts = false; user = "root"; group = "root"; }; diff --git a/host/x86_64-linux/laptop/Network.nix b/host/x86_64-linux/laptop/Network.nix new file mode 100644 index 0000000..8d4e836 --- /dev/null +++ b/host/x86_64-linux/laptop/Network.nix @@ -0,0 +1,9 @@ +{ ... }: { + networking = { + firewall.extraCommands = '' + # Ssh access. + iptables -I INPUT -j ACCEPT -s 10.0.0.0/8 -p tcp --dport 22143 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143 + ''; + }; +} diff --git a/host/x86_64-linux/pocket/Network.nix b/host/x86_64-linux/pocket/Network.nix new file mode 100644 index 0000000..8d4e836 --- /dev/null +++ b/host/x86_64-linux/pocket/Network.nix @@ -0,0 +1,9 @@ +{ ... }: { + networking = { + firewall.extraCommands = '' + # Ssh access. + iptables -I INPUT -j ACCEPT -s 10.0.0.0/8 -p tcp --dport 22143 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143 + ''; + }; +} diff --git a/host/x86_64-linux/work/Network.nix b/host/x86_64-linux/work/Network.nix new file mode 100644 index 0000000..8d4e836 --- /dev/null +++ b/host/x86_64-linux/work/Network.nix @@ -0,0 +1,9 @@ +{ ... }: { + networking = { + firewall.extraCommands = '' + # Ssh access. + iptables -I INPUT -j ACCEPT -s 10.0.0.0/8 -p tcp --dport 22143 + ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143 + ''; + }; +} diff --git a/option/Syncthing.nix b/option/Syncthing.nix index 131d772..b8e921a 100644 --- a/option/Syncthing.nix +++ b/option/Syncthing.nix @@ -24,9 +24,5 @@ in { default = "users"; type = lib.types.str; }; - openDefaultPorts = lib.mkOption { - default = true; - type = lib.types.bool; - }; }; } diff --git a/system/Firewall.nix b/system/Firewall.nix index 5c9a0aa..5013fa5 100644 --- a/system/Firewall.nix +++ b/system/Firewall.nix @@ -1,3 +1,22 @@ -{ ... }: { - networking.firewall.enable = true; +{ + lib, + ... +}: { + networking.firewall = { + enable = true; + + # NOTE: Configure manually with `extraCommands`. + allowedTCPPortRanges = lib.mkForce [ ]; + allowedTCPPorts = lib.mkForce [ ]; + allowedUDPPortRanges = lib.mkForce [ ]; + allowedUDPPorts = lib.mkForce [ ]; + + allowPing = true; + rejectPackets = false; # Drop. + + logRefusedConnections = false; + logRefusedPackets = false; + logRefusedUnicastsOnly = true; + logReversePathDrops = false; + }; }