pyrox.dev / nixpkgs
lol
fork atom

miniupnpd: firewall config

Jakob Gillich 0f1de2ea 3eab158f

+32 -3
unified split
+32 -3
nixos/modules/services/networking/miniupnpd.nix
··· 30 30 31 31 internalIPs = mkOption { 32 32 type = types.listOf types.str; 33 - example = [ "192.168.1.0/24" ]; 33 + example = [ "192.168.1.1/24" "enp1s0" ]; 34 34 description = '' 35 35 The IP address ranges to listen on. 36 36 ''; ··· 57 57 }; 58 58 59 59 config = mkIf cfg.enable { 60 + # from miniupnpd/netfilter/iptables_init.sh 61 + networking.firewall.extraCommands = '' 62 + iptables -t nat -N MINIUPNPD 63 + iptables -t nat -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 64 + iptables -t mangle -N MINIUPNPD 65 + iptables -t mangle -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 66 + iptables -t filter -N MINIUPNPD 67 + iptables -t filter -A FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD 68 + iptables -t nat -N MINIUPNPD-PCP-PEER 69 + iptables -t nat -A POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER 70 + ''; 71 + 72 + # from miniupnpd/netfilter/iptables_removeall.sh 73 + networking.firewall.extraStopCommands = '' 74 + iptables -t nat -F MINIUPNPD 75 + iptables -t nat -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 76 + iptables -t nat -X MINIUPNPD 77 + iptables -t mangle -F MINIUPNPD 78 + iptables -t mangle -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 79 + iptables -t mangle -X MINIUPNPD 80 + iptables -t filter -F MINIUPNPD 81 + iptables -t filter -D FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD 82 + iptables -t filter -X MINIUPNPD 83 + iptables -t nat -F MINIUPNPD-PCP-PEER 84 + iptables -t nat -D POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER 85 + iptables -t nat -X MINIUPNPD-PCP-PEER 86 + ''; 87 + 60 88 systemd.services.miniupnpd = { 61 89 description = "MiniUPnP daemon"; 62 90 after = [ "network.target" ]; 63 91 wantedBy = [ "multi-user.target" ]; 64 - path = [ pkgs.miniupnpd ]; 65 92 serviceConfig = { 66 - ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -d -f ${configFile}"; 93 + ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -f ${configFile}"; 94 + PIDFile = "/var/run/miniupnpd.pid"; 95 + Type = "forking"; 67 96 }; 68 97 }; 69 98 };