nixos/nat: support nat reflection · pyrox.dev/nixpkgs@328f8a6

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/nat: support nat reflection

authored by

volth and committed by

volth 8 years ago 328f8a6c 29013598

+32 -1

1 changed file

expand all

unified split

nixos

modules

services

networking

nat.nix

+32 -1

nixos/modules/services/networking/nat.nix

··· 53 -i ${cfg.externalInterface} -p ${fwd.proto} \ 54 --dport ${builtins.toString fwd.sourcePort} \ 55 -j DNAT --to-destination ${fwd.destination} 56 '') cfg.forwardPorts} 57 58 ${optionalString (cfg.dmzHost != null) '' 59 iptables -w -t nat -A nixos-nat-pre \ 60 -i ${cfg.externalInterface} -j DNAT \ 61 - --to-destination ${cfg.dmzHost} 62 ''} 63 64 ${cfg.extraCommands} ··· 151 default = "tcp"; 152 example = "udp"; 153 description = "Protocol of forwarded connection"; 154 }; 155 }; 156 });

··· 53 -i ${cfg.externalInterface} -p ${fwd.proto} \ 54 --dport ${builtins.toString fwd.sourcePort} \ 55 -j DNAT --to-destination ${fwd.destination} 56 + 57 + ${concatMapStrings (loopbackip: 58 + let 59 + m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination; 60 + destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; 61 + destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 1; 62 + in '' 63 + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself 64 + iptables -w -t nat -A OUTPUT \ 65 + -d ${loopbackip} -p ${fwd.proto} \ 66 + --dport ${builtins.toString fwd.sourcePort} \ 67 + -j DNAT --to-destination ${fwd.destination} 68 + 69 + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT 70 + iptables -w -t nat -A nixos-nat-pre \ 71 + -d ${loopbackip} -p ${fwd.proto} \ 72 + --dport ${builtins.toString fwd.sourcePort} \ 73 + -j DNAT --to-destination ${fwd.destination} 74 + 75 + iptables -w -t nat -A nixos-nat-post \ 76 + -d ${destinationIP} -p ${fwd.proto} \ 77 + --dport ${destinationPorts} \ 78 + -j SNAT --to-source ${loopbackip} 79 + '') fwd.loopbackIPs} 80 '') cfg.forwardPorts} 81 82 ${optionalString (cfg.dmzHost != null) '' 83 iptables -w -t nat -A nixos-nat-pre \ 84 -i ${cfg.externalInterface} -j DNAT \ 85 + --to-destination ${cfg.dmzHost} 86 ''} 87 88 ${cfg.extraCommands} ··· 175 default = "tcp"; 176 example = "udp"; 177 description = "Protocol of forwarded connection"; 178 + }; 179 + 180 + loopbackIPs = mkOption { 181 + type = types.listOf types.str; 182 + default = []; 183 + example = literalExample ''[ "55.1.2.3" ]''; 184 + description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT"; 185 }; 186 }; 187 });