pyrox.dev / nixpkgs
lol
fork atom

nixos/nat: add dmzHost option (#32257)

Ryan Trinkle 4f8a65a1 13797ff5

options
unified split
Changed files
+17
nixos
modules
services
networking
nat.nix
+17
nixos/modules/services/networking/nat.nix 
···

       
53

       
53

       
 

       
        -j DNAT --to-destination ${fwd.destination}


     

       
54

       
54

       
 

       
    '') cfg.forwardPorts}


     

       
55

       
55

       
 

       



     

       

       
56

       
+

       
    ${optionalString (cfg.dmzHost != null) ''


     

       

       
57

       
+

       
      iptables -w -t nat -A nixos-nat-pre \


     

       

       
58

       
+

       
        -i ${cfg.externalInterface} -j DNAT \


     

       

       
59

       
+

       
	--to-destination ${cfg.dmzHost}


     

       

       
60

       
+

       
    ''}


     

       

       
61

       
+

       



     

       
56

       
62

       
 

       
    # Append our chains to the nat tables


     

       
57

       
63

       
 

       
    iptables -w -t nat -A PREROUTING -j nixos-nat-pre


     

       
58

       
64

       
 

       
    iptables -w -t nat -A POSTROUTING -j nixos-nat-post


     
···

       
150

       
156

       
 

       
        ''


     

       
151

       
157

       
 

       
          List of forwarded ports from the external interface to


     

       
152

       
158

       
 

       
          internal destinations by using DNAT.


     

       

       
159

       
+

       
        '';


     

       

       
160

       
+

       
    };


     

       

       
161

       
+

       



     

       

       
162

       
+

       
    networking.nat.dmzHost = mkOption {


     

       

       
163

       
+

       
      type = types.nullOr types.str;


     

       

       
164

       
+

       
      default = null;


     

       

       
165

       
+

       
      example = "10.0.0.1";


     

       

       
166

       
+

       
      description =


     

       

       
167

       
+

       
        ''


     

       

       
168

       
+

       
          The local IP address to which all traffic that does not match any


     

       

       
169

       
+

       
          forwarding rule is forwarded.


     

       
153

       
170

       
 

       
        '';


     

       
154

       
171

       
 

       
    };


     

       
155

       
172