nixos/nat: add dmzHost option (#32257)

2017-12-04 04:21:58 -05:00 · 2017-12-04 04:21:58 -05:00 · 4f8a65a163
commit 4f8a65a163
parent 13797ff522
1 changed files with 17 additions and 0 deletions
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@ -53,6 +53,12 @@ let
        -j DNAT --to-destination ${fwd.destination}
    '') cfg.forwardPorts}

+    ${optionalString (cfg.dmzHost != null) ''
+      iptables -w -t nat -A nixos-nat-pre \
+        -i ${cfg.externalInterface} -j DNAT \
+	--to-destination ${cfg.dmzHost}
+    ''}
+
    # Append our chains to the nat tables
    iptables -w -t nat -A PREROUTING -j nixos-nat-pre
    iptables -w -t nat -A POSTROUTING -j nixos-nat-post
@ -153,6 +159,17 @@ in
        '';
    };

+    networking.nat.dmzHost = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      example = "10.0.0.1";
+      description =
+        ''
+          The local IP address to which all traffic that does not match any
+          forwarding rule is forwarded.
+        '';
+    };
+
  };