dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/home/routing-common: Restrict SSH access

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-12-20 20:41:19 +00:00
parent b48e7b1c33
commit d44fdcfe6a
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/boxes/home/routing-common/default.nix
View File

@ -318,7 +318,11 @@ in
enable = true; enable = true;
externalInterface = "wan"; externalInterface = "wan";
}; };
extraRules = '' extraRules =
let
aa = allAssignments;
in
''
table inet filter { table inet filter {
chain input { chain input {
iifname base meta l4proto { udp, tcp } th dport domain accept iifname base meta l4proto { udp, tcp } th dport domain accept
@ -326,8 +330,16 @@ in
} }
chain routing-tcp { chain routing-tcp {
# Safe enough to allow all SSH ip daddr {
tcp dport ssh accept ${aa.castle.hi.ipv4.address},
${aa.cellar.hi.ipv4.address},
${aa.palace.hi.ipv4.address}
} tcp dport ssh accept
ip6 daddr {
${aa.castle.hi.ipv6.address},
${aa.cellar.hi.ipv6.address},
${aa.palace.hi.ipv6.address}
} tcp dport ssh accept
return return
} }