Fri Jan 31 19:03:35+0100 2020
9384153
Add iptables service
modules/config/iptables.scm unknown status 1
| 1 | + | ;;; Tyreunom's system administration and configuration tools. | |
| 2 | + | ;;; | |
| 3 | + | ;;; Copyright ?? 2020 Julien Lepiller <julien@lepiller.eu> | |
| 4 | + | ;;; | |
| 5 | + | ;;; This program is free software: you can redistribute it and/or modify | |
| 6 | + | ;;; it under the terms of the GNU General Public License as published by | |
| 7 | + | ;;; the Free Software Foundation, either version 3 of the License, or | |
| 8 | + | ;;; (at your option) any later version. | |
| 9 | + | ;;; | |
| 10 | + | ;;; This program is distributed in the hope that it will be useful, | |
| 11 | + | ;;; but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 12 | + | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 13 | + | ;;; GNU General Public License for more details. | |
| 14 | + | ;;; | |
| 15 | + | ;;; You should have received a copy of the GNU General Public License | |
| 16 | + | ;;; along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| 17 | + | ||
| 18 | + | ;; | |
| 19 | + | ;; Definition of rotation policies | |
| 20 | + | ;; | |
| 21 | + | ||
| 22 | + | (define-module (config iptables) | |
| 23 | + | #:use-module (gnu services) | |
| 24 | + | #:use-module (gnu services networking) | |
| 25 | + | #:use-module (guix gexp) | |
| 26 | + | #:export (lepiller-iptables-service)) | |
| 27 | + | ||
| 28 | + | (define ipv4-config | |
| 29 | + | (plain-file "iptables.rules" "*filter | |
| 30 | + | :INPUT ACCEPT | |
| 31 | + | :FORWARD ACCEPT | |
| 32 | + | :OUTPUT ACCEPT | |
| 33 | + | -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds=60 --hitcount 4 -j REJECT --reject-with icmp-port-unreachable | |
| 34 | + | -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set | |
| 35 | + | COMMIT | |
| 36 | + | ")) | |
| 37 | + | ||
| 38 | + | (define ipv6-config | |
| 39 | + | (plain-file "ip6tables.rules" "*filter | |
| 40 | + | :INPUT ACCEPT | |
| 41 | + | :FORWARD ACCEPT | |
| 42 | + | :OUTPUT ACCEPT | |
| 43 | + | -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds=60 --hitcount 4 -j REJECT --reject-with icmp6-port-unreachable | |
| 44 | + | -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set | |
| 45 | + | COMMIT | |
| 46 | + | ")) | |
| 47 | + | ||
| 48 | + | (define lepiller-iptables-service | |
| 49 | + | (service iptables-service-type | |
| 50 | + | (iptables-configuration | |
| 51 | + | (ipv4-rules ipv4-config) | |
| 52 | + | (ipv6-rules ipv6-config)))) |
systems/hermes.scm
| 22 | 22 | (use-modules (gnu services networking)) | |
| 23 | 23 | (use-modules (gnu services web)) | |
| 24 | 24 | (use-modules (config certbot) (config dns) (config mail) (config network) (config os) | |
| 25 | - | (config web)) | |
| 25 | + | (config iptables) (config web)) | |
| 26 | 26 | ||
| 27 | 27 | ||
| 28 | 28 | ;; NOTE: this config contains out-of band files. | |
… | |||
| 77 | 77 | (append | |
| 78 | 78 | (list | |
| 79 | 79 | hermes-network-service | |
| 80 | + | lepiller-iptables-service | |
| 80 | 81 | (service tor-service-type) | |
| 81 | 82 | (tor-hidden-service "lepiller" | |
| 82 | 83 | '((22 "127.0.0.1:22") | |