1 { pkgs, lib, config, hosts, ... }:
3 inherit (config.users) users;
6 networking.firewall.enable = false;
7 security.lockKernelModules = false;
8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
9 # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
11 networking.nftables = {
13 ruleset = lib.mkBefore ''
15 include "${../../../nixos/profiles/nftables/filter.txt}"
18 # Some .nix append rules here with: add rule inet filter net2fw ...
21 tcp dport { 80, 443 } counter accept comment "HTTP"
22 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
23 meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
24 tcp dport 9418 counter accept comment "Git"
25 tcp dport ssh counter accept comment "SSH"
26 udp dport 60001-60010 counter accept comment "Mosh"
28 # Some .nix append rules here with: add rule inet filter fw2net ...
31 # Some .nix append rules here with: add rule inet filter lan2fw ...
35 # Some .nix append rules here with: add rule inet filter fw2lan ...
39 type filter hook input priority 0
48 # accept traffic already established
49 ct state { established, related } accept
50 jump accept-connectivity-input
51 ct state invalid counter drop
54 tcp dport 22 counter accept comment "SSH"
55 udp dport 60000-61000 counter accept comment "Mosh"
57 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
60 type filter hook output priority 0
65 tcp flags syn tcp option maxseg size set rt mtu
67 ct state { established, related } accept
68 jump accept-connectivity-output
70 tcp dport 22 counter accept comment "SSH"
72 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
75 type filter hook forward priority 0
81 type nat hook prerouting priority filter
85 type nat hook postrouting priority srcnat