magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-29 03:26:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Lock down SSH access from outside

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-03-30 23:09:27 +01:00
parent 5a66d049ed
commit 61862bda34
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
3 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/systems/altra/networking.nix
View file

@ -17,6 +17,8 @@ in {
boot.supportedFilesystems = ["nfs"];
services.rpcbind.enable = true;
services.openssh.openFirewall = false;
networking = {
hostName = "altra";
hostId = "4eb49917";
@ -76,6 +78,7 @@ in {
interfaces."wg0" = {
allowedTCPPorts = [
8883
22
# ## Consul
# 8600 # DNS
# 8500 # HTTP

4
nixos/systems/blowhole/firewall.nix
View file

@ -156,7 +156,7 @@ in {
chain input {
type filter hook input priority 0; policy drop;
tcp dport 22 accept comment "Accept SSH traffic always"
iifname != "${wan}" tcp dport 22 accept comment "Accept SSH traffic always"
iifname != "lo" tcp dport 5353 drop comment "Drop traffic to dnscrypt-proxy always except for localhost to localhost traffic"
# Accept WireGuard
@ -269,7 +269,7 @@ in {
# blowhole
# sudo nft add rule nf_filter input iifname { "eno3" } udp dport 2302-2306 accept
# sudo nft add rule nf_nat prerouting ip daddr { 10.64.2.1, 192.168.2.20 } udp dport 2302-2306 dnat 10.64.2.136
# sudo nft add rule nf_nat prerouting ip daddr { 10.64.2.1, 192.168.2.20 } udp dport 2302-2306 dnat 10.64.2.145
# sudo nft add rule nf_nat postrouting udp dport 2302-2306 ip daddr { 10.64.2.1, 192.168.2.20 } masquerade
# omen

3
nixos/systems/toothpick/networking.nix
View file

@ -17,6 +17,8 @@ in {
boot.supportedFilesystems = ["nfs"];
services.rpcbind.enable = true;
services.openssh.openFirewall = false;
networking = {
hostName = "toothpick";
@ -91,6 +93,7 @@ in {
4647
4648
10000
22 # SSH
];
allowedTCPPortRanges = [
{