{ config, lib, pkgs, ... }: { networking = { # Firewall configuration firewall = { allowPing = true; extraCommands = '' ${pkgs.iproute2}/bin/tc qdisc del dev wan root || true ${pkgs.iproute2}/bin/tc qdisc add dev wan root cake bandwidth 2Mbit atm conservative || true iptables -N DOCKER-USER || iptables -F DOCKER-USER # Allow traffic to/from traefik iptables -A DOCKER-USER -i br_traefik -o br_traefik -s 10.160.11.254/32 -d 10.160.8.0/22 -j ACCEPT iptables -A DOCKER-USER -i br_traefik -o br_traefik -s 10.160.8.0/22 -d 10.160.11.254/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop all other inter-container traffic iptables -A DOCKER-USER -i br_traefik -o br_traefik -j REJECT ''; extraStopCommands = '' iptables -F DOCKER-USER || true ''; interfaces = { wan = { allowedTCPPorts = [ 9022 # ssh ]; }; lan = { allowedTCPPorts = [ 53 # dns 445 # samba 5357 # samba 1500 # iperf 9022 # ssh ]; allowedUDPPorts = [ 53 # dns 67 # dhcp 3702 # samba ]; }; guest = { allowedTCPPorts = [ 53 # dns ]; allowedUDPPorts = [ 53 # dns 67 # dhcp ]; }; iot = { allowedTCPPorts = [ 53 # dns ]; allowedUDPPorts = [ 53 # dns 67 # dhcp ]; }; mgmt = { allowedTCPPorts = [ 53 # dns 445 # samba 5357 # samba 9022 # ssh ]; allowedUDPPorts = [ 53 # dns 67 # dhcp ]; }; wg0 = { allowedTCPPorts = [ 53 # dns 445 # samba 1337 # tryme 1338 # watchme 1339 # multiplayer 5900 # vnc 8090 # send 9022 # ssh ]; allowedUDPPorts = [ 53 # dns ]; }; br_traefik = { allowedTCPPorts = [ 3456 # ntop 9090 # cockpit ]; }; }; pingLimit = "--limit 10/second --limit-burst 5"; }; # NAT nat = { enable = true; externalInterface = "wan"; internalInterfaces = [ "lan" "guest" "iot" "mgmt" "eoc" ]; }; }; }