feat: got port forwarding working

2025-12-06 21:17:14 -06:00 · 2025-11-27 16:04:45 -06:00 · 2025-11-27 16:04:45 -06:00 · 70f7fefd71
commit 70f7fefd71
parent 866c074824
1 changed files with 19 additions and 8 deletions
--- a/modules/nixos/guests/torrent/default.nix
+++ b/modules/nixos/guests/torrent/default.nix
@ -46,15 +46,19 @@ in
          ${pkgs.iptables}/bin/iptables -A INPUT -i lo -j ACCEPT
          ${pkgs.iptables}/bin/iptables -A OUTPUT -o lo -j ACCEPT
-          # Allow established/related connections
+          # Allow established/related connections on VPN interface only
-          ${pkgs.iptables}/bin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A OUTPUT -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          # Allow established/related connections on local network (for management)
          ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          # Allow SSH on all interfaces (for management)
          ${pkgs.iptables}/bin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-          # Allow local network for management (WebUI, etc)
+          # Allow local network for management (WebUI, etc) - NEW connections
          ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -j ACCEPT
          ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -j ACCEPT
@ -62,10 +66,17 @@ in
          ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport ${toString torrentPort} -d ${vpnEndpoint} -j ACCEPT
          ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -p udp --sport ${toString torrentPort} -s ${vpnEndpoint} -j ACCEPT
-          # Allow DNS for WireGuard resolution (if needed)
+          # DNS: Only allow through VPN gateway (10.2.0.1) - no local DNS leaks
-          ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport 53 -d ${localNet} -j ACCEPT
+          # This rule will only work once WireGuard is up
          # If you need DNS before VPN for WireGuard hostname resolution, uncomment below:
          # ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport 53 -d 192.168.50.1 -j ACCEPT
-          # Log dropped packets (optional, for debugging)
+          # Block IPv6 completely (defense in depth, even though we disabled it)
          ${pkgs.iptables}/bin/ip6tables -P INPUT DROP 2>/dev/null || true
          ${pkgs.iptables}/bin/ip6tables -P OUTPUT DROP 2>/dev/null || true
          ${pkgs.iptables}/bin/ip6tables -P FORWARD DROP 2>/dev/null || true
          # Log dropped packets (optional, for debugging - comment out in production)
          ${pkgs.iptables}/bin/iptables -A OUTPUT -j LOG --log-prefix "KILLSWITCH-OUT: " --log-level 4
          ${pkgs.iptables}/bin/iptables -A INPUT -j LOG --log-prefix "KILLSWITCH-IN: " --log-level 4
        '';