🔒 fix firewall configuration because of hetzner mac address problem

2025-04-03 16:50:40 +02:00 · 2025-04-03 16:50:40 +02:00 · 0404bb5314
commit 0404bb5314
parent 01304d1852
2 changed files with 8 additions and 2 deletions
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@ -45,6 +45,9 @@
  ];

  networking.firewall.enable = true;
+  networking.firewall.extraCommands = ''
+    iptables -P FORWARD DROP
+  '';
  boot.kernel.sysctl."net.ipv4.ip_forwarding" = false;

  services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
--- a/machines/orbi/network-wireguard.nix
+++ b/machines/orbi/network-wireguard.nix
@ -20,6 +20,11 @@ let
 in
 {
  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.extraCommands = ''
+    iptables -A FORWARD -i wg0 -j ACCEPT
+  '';
+  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
+
  clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
  clan.core.facts.services.wireguard_ip = factsGenerator.public {
    "wireguard.wg0.endpoint" = "95.216.66.212:51820";
@ -31,8 +36,6 @@ in
    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
  '';

-  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
-
  # Enable WireGuard
  networking.wg-quick.interfaces = {
    # Hub and Spoke Setup