mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 08:53:21 +00:00
nixos/nat: support nat reflection
This commit is contained in:
parent
29013598a7
commit
328f8a6cba
@ -53,12 +53,36 @@ let
|
|||||||
-i ${cfg.externalInterface} -p ${fwd.proto} \
|
-i ${cfg.externalInterface} -p ${fwd.proto} \
|
||||||
--dport ${builtins.toString fwd.sourcePort} \
|
--dport ${builtins.toString fwd.sourcePort} \
|
||||||
-j DNAT --to-destination ${fwd.destination}
|
-j DNAT --to-destination ${fwd.destination}
|
||||||
|
|
||||||
|
${concatMapStrings (loopbackip:
|
||||||
|
let
|
||||||
|
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
|
||||||
|
destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
|
||||||
|
destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 1;
|
||||||
|
in ''
|
||||||
|
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself
|
||||||
|
iptables -w -t nat -A OUTPUT \
|
||||||
|
-d ${loopbackip} -p ${fwd.proto} \
|
||||||
|
--dport ${builtins.toString fwd.sourcePort} \
|
||||||
|
-j DNAT --to-destination ${fwd.destination}
|
||||||
|
|
||||||
|
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT
|
||||||
|
iptables -w -t nat -A nixos-nat-pre \
|
||||||
|
-d ${loopbackip} -p ${fwd.proto} \
|
||||||
|
--dport ${builtins.toString fwd.sourcePort} \
|
||||||
|
-j DNAT --to-destination ${fwd.destination}
|
||||||
|
|
||||||
|
iptables -w -t nat -A nixos-nat-post \
|
||||||
|
-d ${destinationIP} -p ${fwd.proto} \
|
||||||
|
--dport ${destinationPorts} \
|
||||||
|
-j SNAT --to-source ${loopbackip}
|
||||||
|
'') fwd.loopbackIPs}
|
||||||
'') cfg.forwardPorts}
|
'') cfg.forwardPorts}
|
||||||
|
|
||||||
${optionalString (cfg.dmzHost != null) ''
|
${optionalString (cfg.dmzHost != null) ''
|
||||||
iptables -w -t nat -A nixos-nat-pre \
|
iptables -w -t nat -A nixos-nat-pre \
|
||||||
-i ${cfg.externalInterface} -j DNAT \
|
-i ${cfg.externalInterface} -j DNAT \
|
||||||
--to-destination ${cfg.dmzHost}
|
--to-destination ${cfg.dmzHost}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${cfg.extraCommands}
|
${cfg.extraCommands}
|
||||||
@ -152,6 +176,13 @@ in
|
|||||||
example = "udp";
|
example = "udp";
|
||||||
description = "Protocol of forwarded connection";
|
description = "Protocol of forwarded connection";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
loopbackIPs = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
example = literalExample ''[ "55.1.2.3" ]'';
|
||||||
|
description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
default = [];
|
default = [];
|
||||||
|
Loading…
Reference in New Issue
Block a user