hosts/oignon/networking/nftables.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let
   3   inherit (config.users) users;
   4 in
   5 {
   6 networking.firewall.enable = false;
   7 security.lockKernelModules = false;
   8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
   9 # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
  10 # nft list ruleset
  11 networking.nftables = {
  12   enable = true;
  13   ruleset = lib.mkBefore ''
  14     table inet filter {
  15       include "${../../../nixos/profiles/nftables/filter.txt}"
  16       chain net2fw {
  17         jump check-public
  18         # Some .nix append rules here with: add rule inet filter net2fw ...
  19       }
  20       chain fw2net {
  21         tcp dport { 80, 443 } counter accept comment "HTTP"
  22         udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  23         meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
  24         tcp dport 9418 counter accept comment "Git"
  25         tcp dport ssh counter accept comment "SSH"
  26         udp dport 60001-60010 counter accept comment "Mosh"
  27
  28         # Some .nix append rules here with: add rule inet filter fw2net ...
  29       }
  30       chain lan2fw {
  31         # Some .nix append rules here with: add rule inet filter lan2fw ...
  32       }
  33       chain fw2lan {
  34         accept
  35         # Some .nix append rules here with: add rule inet filter fw2lan ...
  36       }
  37
  38       chain input {
  39         type filter hook input priority 0
  40         policy drop
  41
  42         iifname lo accept
  43
  44         jump check-tcp
  45         jump check-ping
  46         jump check-broadcast
  47
  48         # accept traffic already established
  49         ct state { established, related } accept
  50         jump accept-connectivity-input
  51         ct state invalid counter drop
  52
  53         # admin services
  54         tcp dport 22 counter accept comment "SSH"
  55         udp dport 60000-61000 counter accept comment "Mosh"
  56
  57         # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
  58       }
  59       chain output {
  60         type filter hook output priority 0
  61         policy drop
  62
  63         oifname lo accept
  64
  65         tcp flags syn tcp option maxseg size set rt mtu
  66
  67         ct state { established, related } accept
  68         jump accept-connectivity-output
  69
  70         tcp dport 22 counter accept comment "SSH"
  71
  72         # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
  73       }
  74       chain forward {
  75         type filter hook forward priority 0
  76         policy drop
  77       }
  78     }
  79     table inet nat {
  80       chain prerouting {
  81         type nat hook prerouting priority filter
  82         policy accept
  83       }
  84       chain postrouting {
  85         type nat hook postrouting priority srcnat
  86         policy accept
  87       }
  88     }
  89   '';
  90 };
  91 }