···
-i ${cfg.externalInterface} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
57
+
${concatMapStrings (loopbackip:
59
+
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
60
+
destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
61
+
destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 1;
63
+
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself
64
+
iptables -w -t nat -A OUTPUT \
65
+
-d ${loopbackip} -p ${fwd.proto} \
66
+
--dport ${builtins.toString fwd.sourcePort} \
67
+
-j DNAT --to-destination ${fwd.destination}
69
+
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT
70
+
iptables -w -t nat -A nixos-nat-pre \
71
+
-d ${loopbackip} -p ${fwd.proto} \
72
+
--dport ${builtins.toString fwd.sourcePort} \
73
+
-j DNAT --to-destination ${fwd.destination}
75
+
iptables -w -t nat -A nixos-nat-post \
76
+
-d ${destinationIP} -p ${fwd.proto} \
77
+
--dport ${destinationPorts} \
78
+
-j SNAT --to-source ${loopbackip}
79
+
'') fwd.loopbackIPs}
${optionalString (cfg.dmzHost != null) ''
iptables -w -t nat -A nixos-nat-pre \
-i ${cfg.externalInterface} -j DNAT \
61
-
--to-destination ${cfg.dmzHost}
85
+
--to-destination ${cfg.dmzHost}
···
description = "Protocol of forwarded connection";
180
+
loopbackIPs = mkOption {
181
+
type = types.listOf types.str;
183
+
example = literalExample ''[ "55.1.2.3" ]'';
184
+
description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT";
pyrox.dev