hosts/oignon/networking/nftables.nix

   1 { pkgs, lib, config, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4 in
   5 {
   6 networking.firewall.enable = false;
   7 security.lockKernelModules = false;
   8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
   9 # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
  10 # nft list ruleset
  11 networking.nftables = {
  12   enable = true;
  13   ruleset = ''
  14     table inet filter {
  15       chain input-intra {
  16         tcp dport { ssh, 2222 } counter accept comment "SSH"
  17         udp dport 60001-60010 counter accept comment "Mosh"
  18         #tcp dport 4713 counter accept comment "pulseaudio"
  19         tcp dport 5201 counter accept comment "iperf"
  20       }
  21       chain input-net {
  22       }
  23
  24       chain output-lan {
  25         tcp dport { ssh, 2222 } counter accept comment "SSH"
  26         udp dport 60001-60100 counter accept comment "Mosh"
  27         tcp dport bootps counter accept comment "DHCP"
  28         tcp dport { 4444, 5555 } counter accept
  29         tcp dport 5201 counter accept comment "iperf"
  30       }
  31       chain output-intra {
  32         tcp dport { ssh, 2222 } counter accept comment "SSH"
  33         udp dport 60001-60100 counter accept comment "Mosh"
  34         tcp dport { http, https } counter accept comment "HTTP"
  35         tcp dport git counter accept comment "Git"
  36         tcp dport 5201 counter accept comment "iperf"
  37       }
  38       chain output-net {
  39         tcp dport { ssh, 2222 } counter accept comment "SSH"
  40         udp dport 60001-60100 counter accept comment "Mosh"
  41         udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  42         meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
  43         tcp dport { http, https } counter accept comment "HTTP"
  44         tcp dport git counter accept comment "Git"
  45         tcp dport imaps counter accept comment "IMAPS"
  46         tcp dport xmpp-client counter accept comment "XMPP"
  47         tcp dport nntps counter accept comment "NNTPS"
  48         tcp dport 5201 counter accept comment "iperf"
  49       }
  50     }
  51   '';
  52 };
  53 }