hosts/aubergine/networking/nftables.nix

   1 { config, ... }:
   2 let
   3   inherit (config.users) users;
   4 in
   5 {
   6   networking.firewall.enable = false;
   7   security.lockKernelModules = false;
   8   systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
   9   # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
  10   # nft list ruleset
  11   networking.nftables = {
  12     enable = true;
  13     ruleset = ''
  14       table inet filter {
  15         chain input-lan {
  16           meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  17           meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
  18           tcp dport ssh counter accept comment "SSH"
  19           udp dport 60000-61000 counter accept comment "Mosh"
  20           tcp dport 5201 counter accept comment "iperf"
  21         }
  22         chain input-net {
  23           jump check-public
  24         }
  25         chain input-intra {
  26           tcp dport ssh counter accept comment "SSH"
  27           udp dport 60000-61000 counter accept comment "Mosh"
  28           tcp dport 5201 counter accept comment "iperf"
  29         }
  30
  31         chain output-lan {
  32           tcp dport { ssh, 2222 } counter accept comment "SSH"
  33           tcp dport 5201 counter accept comment "iperf"
  34         }
  35         chain output-net {
  36           tcp dport { ssh, 2222 } counter accept comment "SSH"
  37           udp dport 60000-61000 counter accept comment "Mosh"
  38           tcp dport { http, https } counter accept comment "HTTP"
  39           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  40           tcp dport git counter accept comment "Git"
  41           tcp dport 5201 counter accept comment "iperf"
  42         }
  43         chain output-intra {
  44           tcp dport { ssh, 2222 } counter accept comment "SSH"
  45           udp dport 60001-60010 counter accept comment "Mosh"
  46           tcp dport { http, https } counter accept comment "HTTP"
  47           tcp dport git counter accept comment "git"
  48           #tcp dport 4713 counter accept comment "pulseaudio"
  49           tcp dport 5201 counter accept comment "iperf"
  50         }
  51       }
  52     '';
  53   };
  54 }