I have an AAAA record from my domain.example.com to my server.
However, the standard behaviour with networking.firewall.allowedTCPPorts is to open both ipv4 and ipv6 ports.
This means that anyone can reach my services with domain.example.com:service-port which isn’t ideal.
Ideally, I’d like to each AAAA record to hit my server at port 80/443 and use the reverse proxy to then go to service port for each unique service domain.
For example: plex6.example.com should map to 192.168.1.server-ip:32400 but I should NOT be able to get to plex by doing immich6.example.com:32400.
At the same time, when I’m on my internal network of 192.168.1.0/24 I would like to still be able to reach any service port.
What would be the best way for going about configuring this?
EDIT:
The way I’ve done this is:
Close the firewall ports of everything unless necessary (i.e. the reverse-proxy).
As I understand your question, you don’t provide enough information about your network. Is the rev-proxy running on a different host (I think so). Why do you complicate the setup by wanting clients on your local network to connect to the service, bypassing the rev-proxy? Wouldn’t it be simpler to have all connect through the same port? And say, you want to avoid a hairpin firewall setup, you could use a split DNS (view) configuration. But as I started my reply, I am reading tea leaves.
And if you are not happy with the simple firewall rules of NixOS, you have to write your own (idempotently), by using networking.firewall.extraCommands and networking.firewall.extraStopCommands to my knowledge.
The reverse proxy is running on the same host on server-ipv46:80.
The AAAA record(s) will point to server-ipv6 and the reverse proxy should handle them and point queries to the right place i.e. plex6.example.com → localhost:32400 but I don’t want immich6.example.com:32400 to be neither valid, nor go to plex.
However, if I don’t open the ports in the firewall, I can’t go from my LAN to any services on ports on the server in the lan. For example, if I try server-ipv4:32400 with the firewall closed, I can no longer reach plex via that route from another machine.
I think your reply hints that in this case, I should just handle everything with the reverse proxy although I’m not quite sure how to handle this in the case of the local ipv4 connections. I imagine I’d then have to set up dns on the server as well?
IIUC domain.example.com and immich6.example.com are different machines, you want the first to expose a reverse proxy on the WAN and the second to be only accessible from your LAN IPv4 subnet.
If so, do something like this
networking.nftables.enable = true;
networking.firewall.extraInputRules = ''
ip saddr 192.168.1.4/24 tcp dport 32400 accept comment "allow plex from LAN"
'';
No, they’re intended to be the same machine but pointing to different services.
plex6.example.com will point to the public ipv6 address of my server and be reverse proxied localhost:32400 for plex.
immich6.example.com will point the public ipv6 address of my server and will be reverse proxied to localhost:22283 for immich.
I DON’T want to be able to access immich over ipv6 by doing plex6.example.com:22283. Therefore I can’t open the firewall ports using standard networking.firewall.allowedTCPConnections
At the same time, when I’m on LAN and want to access my services locally from another machine on the LAN because the firewall is closed I can’t simply do local-server-ipv4:32400 to reach plex because the firewall is closed - even though it would be convenient for me.
Looking at your solution however, I think it works.
If I change the rule to allow connections to any port from 192.168.1.0/24, then this will satisfy my requirements I think
Will give a try after today’s wagie cageing.
EDIT: You are correct, this works! Thank you very much
