From d427de57fe7ba41576b3ed0a0bf3d4def657e1ef Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Fri, 21 Apr 2023 15:44:30 +0100 Subject: [PATCH] nixos/firewall: DNAT by IP instead of incoming interface --- nixos/boxes/colony/vms/estuary/default.nix | 1 + nixos/modules/firewall.nix | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index 5b05578..92ff57c 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -324,6 +324,7 @@ in nat = { enable = true; externalInterface = "wan"; + externalIP = assignments.internal.ipv4.address; forwardPorts = [ { port = "http"; diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index 49cb193..0ce0dcc 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -62,7 +62,7 @@ in nat = with options.networking.nat; { enable = mkBoolOpt' true "Whether to enable IP forwarding and NAT."; - inherit externalInterface; + inherit externalInterface externalIP; forwardPorts = mkOpt' (listOf (submodule forwardOpts)) [ ] "List of port forwards."; }; }; @@ -143,8 +143,8 @@ in (mkIf cfg.nat.enable { assertions = [ { - assertion = (cfg.nat.forwardPorts != [ ]) -> (cfg.nat.externalInterface != null); - message = "my.firewall.nat.forwardPorts requires my.firewall.nat.externalInterface"; + assertion = with cfg.nat; (forwardPorts != [ ]) -> (externalInterface != null && externalIP != null); + message = "my.firewall.nat.forwardPorts requires my.firewall.nat.external{Interface,IP}"; } ]; @@ -198,8 +198,8 @@ in } chain prerouting { ${optionalString - (cfg.nat.externalInterface != null) - "iifname ${cfg.nat.externalInterface} jump port-forward"} + (cfg.nat.externalIP != null) + "ip daddr ${cfg.nat.externalIP} jump port-forward"} } } '';