diff options
| author | Arseniy Seroka <jagajaga@users.noreply.github.com> | 2015-12-13 23:03:11 +0300 |
|---|---|---|
| committer | Arseniy Seroka <jagajaga@users.noreply.github.com> | 2015-12-13 23:03:11 +0300 |
| commit | 7bb418e02cf73fa6545e605ebab5a337b43e78a1 (patch) | |
| tree | 169d18213c06fcf774521452e1ac94e9e8120ac0 /nixos | |
| parent | f0cdf17ee8eca6d3318728c49528aa8adb8fba4f (diff) | |
| parent | 0f1de2ea9fd7f92e745a1ace6f24e73ae750d14f (diff) | |
| download | nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.tar nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.tar.gz nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.tar.bz2 nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.tar.lz nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.tar.xz nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.tar.zst nixlib-7bb418e02cf73fa6545e605ebab5a337b43e78a1.zip | |
Merge pull request #11681 from jgillich/upnpd-fw
miniupnpd: firewall config
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/miniupnpd.nix | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/miniupnpd.nix b/nixos/modules/services/networking/miniupnpd.nix index e654eb80b177..19400edb68f9 100644 --- a/nixos/modules/services/networking/miniupnpd.nix +++ b/nixos/modules/services/networking/miniupnpd.nix @@ -30,7 +30,7 @@ in internalIPs = mkOption { type = types.listOf types.str; - example = [ "192.168.1.0/24" ]; + example = [ "192.168.1.1/24" "enp1s0" ]; description = '' The IP address ranges to listen on. ''; @@ -57,13 +57,42 @@ in }; config = mkIf cfg.enable { + # from miniupnpd/netfilter/iptables_init.sh + networking.firewall.extraCommands = '' + iptables -t nat -N MINIUPNPD + iptables -t nat -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t mangle -N MINIUPNPD + iptables -t mangle -A PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t filter -N MINIUPNPD + iptables -t filter -A FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD + iptables -t nat -N MINIUPNPD-PCP-PEER + iptables -t nat -A POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER + ''; + + # from miniupnpd/netfilter/iptables_removeall.sh + networking.firewall.extraStopCommands = '' + iptables -t nat -F MINIUPNPD + iptables -t nat -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t nat -X MINIUPNPD + iptables -t mangle -F MINIUPNPD + iptables -t mangle -D PREROUTING -i ${cfg.externalInterface} -j MINIUPNPD + iptables -t mangle -X MINIUPNPD + iptables -t filter -F MINIUPNPD + iptables -t filter -D FORWARD -i ${cfg.externalInterface} ! -o ${cfg.externalInterface} -j MINIUPNPD + iptables -t filter -X MINIUPNPD + iptables -t nat -F MINIUPNPD-PCP-PEER + iptables -t nat -D POSTROUTING -o ${cfg.externalInterface} -j MINIUPNPD-PCP-PEER + iptables -t nat -X MINIUPNPD-PCP-PEER + ''; + systemd.services.miniupnpd = { description = "MiniUPnP daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.miniupnpd ]; serviceConfig = { - ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -d -f ${configFile}"; + ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -f ${configFile}"; + PIDFile = "/var/run/miniupnpd.pid"; + Type = "forking"; }; }; }; |