diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2018-02-20 16:26:26 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-20 16:26:26 +0000 |
| commit | 3942cbea6717b518c80c8342da96775718652ed3 (patch) | |
| tree | cfbedf008cc67c8c46bbc54a3b5df76e95510020 /nixos | |
| parent | 3cc9445e56fa5252db54c88c6b4ab96723255889 (diff) | |
| parent | 328f8a6cba42deb0b3ac0e5f30818739497668d5 (diff) | |
Merge pull request #35161 from volth/patch-92
nixos/nat: support nat reflection
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index df4246d216d8d..da3827c35e63a 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -53,12 +53,36 @@ let -i ${cfg.externalInterface} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} + + ${concatMapStrings (loopbackip: + let + m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination; + destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; + destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 1; + in '' + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself + iptables -w -t nat -A OUTPUT \ + -d ${loopbackip} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT + iptables -w -t nat -A nixos-nat-pre \ + -d ${loopbackip} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + iptables -w -t nat -A nixos-nat-post \ + -d ${destinationIP} -p ${fwd.proto} \ + --dport ${destinationPorts} \ + -j SNAT --to-source ${loopbackip} + '') fwd.loopbackIPs} '') cfg.forwardPorts} ${optionalString (cfg.dmzHost != null) '' iptables -w -t nat -A nixos-nat-pre \ -i ${cfg.externalInterface} -j DNAT \ - --to-destination ${cfg.dmzHost} + --to-destination ${cfg.dmzHost} ''} ${cfg.extraCommands} @@ -152,6 +176,13 @@ in example = "udp"; description = "Protocol of forwarded connection"; }; + + loopbackIPs = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample ''[ "55.1.2.3" ]''; + description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT"; + }; }; }); default = []; |