From d44fdcfe6a15fe67e2761125f783215fbf53d487 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Wed, 20 Dec 2023 20:41:19 +0000
Subject: [PATCH] nixos/home/routing-common: Restrict SSH access

---
 nixos/boxes/home/routing-common/default.nix | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix
index f02d827..70d6b34 100644
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -318,7 +318,11 @@ in
                 enable = true;
                 externalInterface = "wan";
               };
-              extraRules = ''
+              extraRules =
+              let
+                aa = allAssignments;
+              in
+              ''
                 table inet filter {
                   chain input {
                     iifname base meta l4proto { udp, tcp } th dport domain accept
@@ -326,8 +330,16 @@ in
                   }
 
                   chain routing-tcp {
-                    # Safe enough to allow all SSH
-                    tcp dport ssh accept
+                    ip daddr {
+                      ${aa.castle.hi.ipv4.address},
+                      ${aa.cellar.hi.ipv4.address},
+                      ${aa.palace.hi.ipv4.address}
+                    } tcp dport ssh accept
+                    ip6 daddr {
+                      ${aa.castle.hi.ipv6.address},
+                      ${aa.cellar.hi.ipv6.address},
+                      ${aa.palace.hi.ipv6.address}
+                    } tcp dport ssh accept
 
                     return
                   }