system-configuration

system-configuration/modules/config/iptables.scm

iptables.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2020 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

;;
;; Definition of rotation policies
;;

(define-module (config iptables)
  #:use-module (gnu services)
  #:use-module (gnu services networking)
  #:use-module (guix gexp)
  #:export (lepiller-iptables-service))

(define ipv4-config
  (plain-file "iptables.rules" "*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds=60 --hitcount 4 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
COMMIT
"))

(define ipv6-config
  (plain-file "ip6tables.rules" "*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds=60 --hitcount 4 -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
COMMIT
"))

(define lepiller-iptables-service
  (service iptables-service-type
    (iptables-configuration
      (ipv4-rules ipv4-config)
      (ipv6-rules ipv6-config))))


1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2020 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	;;
19	;; Definition of rotation policies
20	;;
21
22	(define-module (config iptables)
23	#:use-module (gnu services)
24	#:use-module (gnu services networking)
25	#:use-module (guix gexp)
26	#:export (lepiller-iptables-service))
27
28	(define ipv4-config
29	(plain-file "iptables.rules" "*filter
30	:INPUT ACCEPT
31	:FORWARD ACCEPT
32	:OUTPUT ACCEPT
33	-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds=60 --hitcount 4 -j REJECT --reject-with icmp-port-unreachable
34	-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
35	COMMIT
36	"))
37
38	(define ipv6-config
39	(plain-file "ip6tables.rules" "*filter
40	:INPUT ACCEPT
41	:FORWARD ACCEPT
42	:OUTPUT ACCEPT
43	-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds=60 --hitcount 4 -j REJECT --reject-with icmp6-port-unreachable
44	-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
45	COMMIT
46	"))
47
48	(define lepiller-iptables-service
49	(service iptables-service-type
50	(iptables-configuration
51	(ipv4-rules ipv4-config)
52	(ipv6-rules ipv6-config))))
53