diff options
author | Jakob Gillich <jakob@gillich.me> | 2015-12-13 16:43:31 +0100 |
---|---|---|
committer | Jakob Gillich <jakob@gillich.me> | 2015-12-13 16:44:58 +0100 |
commit | 0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f (patch) | |
tree | 2a59dfae0d06829ea37e5a06196115c21f40195b /nixos/modules/services/networking/miniupnpd.nix | |
parent | 3eab158fb8007d03e9ed295068140bbe25306bef (diff) | |
download | nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.tar nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.tar.gz nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.tar.bz2 nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.tar.lz nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.tar.xz nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.tar.zst nixlib-0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f.zip |
miniupnpd: firewall config
Diffstat (limited to 'nixos/modules/services/networking/miniupnpd.nix')
-rw-r--r-- | nixos/modules/services/networking/miniupnpd.nix | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/miniupnpd.nix b/nixos/modules/services/networking/miniupnpd.nix index e654eb80b177..19400edb68f9 100644 --- a/nixos/modules/services/networking/miniupnpd.nix +++ b/nixos/modules/services/networking/miniupnpd.nix @@ -30,7 +30,7 @@ in internalIPs = mkOption { type = types.listOf types.str; - example = [ "192.168.1.0/24" ]; + example = [ "192.168.1.1/24" "enp1s0" ]; description = '' The IP address ranges to listen on. ''; @@ -57,13 +57,42 @@ in }; config = mkIf cfg.enable { + # from miniupnpd/netfilter/iptables_init.sh + networking.firewall.extraCommands = '' + iptables -t nat -N MINIUPNPD + iptables -t nat -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t mangle -N MINIUPNPD + iptables -t mangle -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t filter -N MINIUPNPD + iptables -t filter -A FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD + iptables -t nat -N MINIUPNPD-PCP-PEER + iptables -t nat -A POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER + ''; + + # from miniupnpd/netfilter/iptables_removeall.sh + networking.firewall.extraStopCommands = '' + iptables -t nat -F MINIUPNPD + iptables -t nat -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t nat -X MINIUPNPD + iptables -t mangle -F MINIUPNPD + iptables -t mangle -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t mangle -X MINIUPNPD + iptables -t filter -F MINIUPNPD + iptables -t filter -D FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD + iptables -t filter -X MINIUPNPD + iptables -t nat -F MINIUPNPD-PCP-PEER + iptables -t nat -D POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER + iptables -t nat -X MINIUPNPD-PCP-PEER + ''; + systemd.services.miniupnpd = { description = "MiniUPnP daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.miniupnpd ]; serviceConfig = { - ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -d -f ${configFile}"; + ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -f ${configFile}"; + PIDFile = "/var/run/miniupnpd.pid"; + Type = "forking"; }; }; }; |