feat: nftables · devins.page/flake@18965f8

devins.page / flake

fork atom

configurations for my servers and desktops

nix nixos flake dots dotfiles

fork atom

feat: nftables

devins.page 1 month ago 18965f88 245b8528

+34 -6

3 changed files

expand all

hosts

bluepill-proxy

default.nix

modules

caddy.nix

nftables.nix

hosts/bluepill-proxy/default.nix

··· 2 2 imports = [ 3 3 ./hardware.nix 4 4 ./modules/caddy.nix 5 + ./modules/nftables.nix 5 6 ]; 6 7 7 8 networking.hostName = "bluepill-proxy";

-6

hosts/bluepill-proxy/modules/caddy.nix

··· 6 6 7 7 services.caddy = { 8 8 enable = true; 9 - package = pkgs.caddy.withPlugins { 10 - plugins = [ 11 - "github.com/mholt/caddy-l4@v0.0.0-20251001194302-2e3e6cf60b25" 12 - ]; 13 - hash = "sha256-nIQ3E1gIUqvZA+JMmZmdFy8NMOyuRmA5O+qLi0Ne8s4="; 14 - }; 15 9 email = "devin@devins.page"; 16 10 virtualHosts = { 17 11 "knot.devins.page" = {

+33

hosts/bluepill-proxy/modules/nftables.nix

··· 1 + {...}: { 2 + networking.firewall = { 3 + networking.firewall.allowedTCPPorts = [25565 23343]; 4 + networking.firewall.allowedUDPPorts = [25565 23343 24454 22232]; 5 + }; 6 + networking.enableIPv4Forwarding = true; 7 + 8 + networking.nftables = { 9 + enable = true; 10 + ruleset = '' 11 + table ip nat { 12 + chain prerouting { 13 + type nat hook prerouting priority 0; 14 + 15 + tcp dport 25565 dnat to 100.108.47.83:25565 16 + udp dport 25565 dnat to 100.108.47.83:25565 17 + udp dport 24454 dnat to 100.108.47.83:24454 18 + 19 + tcp dport 23343 dnat to 100.108.47.83:23343 20 + udp dport 23343 dnat to 100.108.47.83:23343 21 + udp dport 22232 dnat to 100.108.47.83:22232 22 + } 23 + } 24 + 25 + table ip filter { 26 + chain forward { 27 + type filter hook forward priority 0; 28 + policy accept; 29 + } 30 + } 31 + ''; 32 + }; 33 + }