commit 0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f

pyrox.dev / nixpkgs

lol

fork atom

miniupnpd: firewall config

Jakob Gillich 10 years ago 0f1de2ea 3eab158f

+32 -3

1 changed file

expand all

unified split

nixos

modules

services

networking

miniupnpd.nix

+32 -3

nixos/modules/services/networking/miniupnpd.nix

··· 30 31 internalIPs = mkOption { 32 type = types.listOf types.str; 33 - example = [ "192.168.1.0/24" ]; 34 description = '' 35 The IP address ranges to listen on. 36 ''; ··· 57 }; 58 59 config = mkIf cfg.enable { 60 systemd.services.miniupnpd = { 61 description = "MiniUPnP daemon"; 62 after = [ "network.target" ]; 63 wantedBy = [ "multi-user.target" ]; 64 - path = [ pkgs.miniupnpd ]; 65 serviceConfig = { 66 - ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -d -f ${configFile}"; 67 }; 68 }; 69 };

··· 30 31 internalIPs = mkOption { 32 type = types.listOf types.str; 33 + example = [ "192.168.1.1/24" "enp1s0" ]; 34 description = '' 35 The IP address ranges to listen on. 36 ''; ··· 57 }; 58 59 config = mkIf cfg.enable { 60 + # from miniupnpd/netfilter/iptables_init.sh 61 + networking.firewall.extraCommands = '' 62 + iptables -t nat -N MINIUPNPD 63 + iptables -t nat -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 64 + iptables -t mangle -N MINIUPNPD 65 + iptables -t mangle -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 66 + iptables -t filter -N MINIUPNPD 67 + iptables -t filter -A FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD 68 + iptables -t nat -N MINIUPNPD-PCP-PEER 69 + iptables -t nat -A POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER 70 + ''; 71 + 72 + # from miniupnpd/netfilter/iptables_removeall.sh 73 + networking.firewall.extraStopCommands = '' 74 + iptables -t nat -F MINIUPNPD 75 + iptables -t nat -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 76 + iptables -t nat -X MINIUPNPD 77 + iptables -t mangle -F MINIUPNPD 78 + iptables -t mangle -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD 79 + iptables -t mangle -X MINIUPNPD 80 + iptables -t filter -F MINIUPNPD 81 + iptables -t filter -D FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD 82 + iptables -t filter -X MINIUPNPD 83 + iptables -t nat -F MINIUPNPD-PCP-PEER 84 + iptables -t nat -D POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER 85 + iptables -t nat -X MINIUPNPD-PCP-PEER 86 + ''; 87 + 88 systemd.services.miniupnpd = { 89 description = "MiniUPnP daemon"; 90 after = [ "network.target" ]; 91 wantedBy = [ "multi-user.target" ]; 92 serviceConfig = { 93 + ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -f ${configFile}"; 94 + PIDFile = "/var/run/miniupnpd.pid"; 95 + Type = "forking"; 96 }; 97 }; 98 };