nixos/firewall: DNAT by IP instead of incoming interface

2023-04-21 15:44:30 +01:00 · 2023-04-21 15:44:30 +01:00 · d427de57fe
commit d427de57fe
parent 4d8935ffd6
2 changed files with 6 additions and 5 deletions
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -324,6 +324,7 @@ in
                nat = {
                  enable = true;
                  externalInterface = "wan";
+                  externalIP = assignments.internal.ipv4.address;
                  forwardPorts = [
                    {
                      port = "http";
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@ -62,7 +62,7 @@ in

    nat = with options.networking.nat; {
      enable = mkBoolOpt' true "Whether to enable IP forwarding and NAT.";
-      inherit externalInterface;
+      inherit externalInterface externalIP;
      forwardPorts = mkOpt' (listOf (submodule forwardOpts)) [ ] "List of port forwards.";
    };
  };
@ -143,8 +143,8 @@ in
    (mkIf cfg.nat.enable {
      assertions = [
        {
-          assertion = (cfg.nat.forwardPorts != [ ]) -> (cfg.nat.externalInterface != null);
-          message = "my.firewall.nat.forwardPorts requires my.firewall.nat.externalInterface";
+          assertion = with cfg.nat; (forwardPorts != [ ]) -> (externalInterface != null && externalIP != null);
+          message = "my.firewall.nat.forwardPorts requires my.firewall.nat.external{Interface,IP}";
        }
      ];

@ -198,8 +198,8 @@ in
            }
            chain prerouting {
              ${optionalString
-                (cfg.nat.externalInterface != null)
-                "iifname ${cfg.nat.externalInterface} jump port-forward"}
+                (cfg.nat.externalIP != null)
+                "ip daddr ${cfg.nat.externalIP} jump port-forward"}
            }
          }
        '';