From 478235fe326c784f73e1e3997dbfaf68f60b0dab Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sun, 12 Mar 2023 20:29:20 -0600
Subject: [PATCH] Enable firewall for PIA VPN wireguard interface

---
 common/network/pia-wireguard.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix
index 2a92b59..399f487 100644
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -6,7 +6,7 @@
 #   https://github.com/pia-foss/manual-connections
 #   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
 
-# TODO turn on firewall for VPN interface
+# TODO reassign ports of other VPN container services to ones that PIA won't forward to and add bash code to check to be sure port stays in this range
 # TODO handle potential errors (or at least print status, success, and failures to the console)
 # TODO handle 2 month limit for port
 # TODO handle VPN container with different name
@@ -212,6 +212,10 @@ in {
         echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
         echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
 
+        # Block all traffic from VPN interface except for traffic that is from the forwarded port
+        iptables -I INPUT -i ${cfg.interfaceName} -j DROP
+        iptables -I INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
+
         # The first port refresh triggers the port to be actually allocated
         ${refreshPIAPort}