hosts/aubergine/networking/nftables.nix

   1 { config, ... }:
   2 let
   3   inherit (config.users) users;
   4 in
   5 {
   6   networking.firewall.enable = false;
   7   security.lockKernelModules = false;
   8   systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
   9   # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
  10   # nft list ruleset
  11   networking.nftables = {
  12     enable = true;
  13     ruleset = ''
  14       table inet filter {
  15         chain input-lan {
  16           meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  17           meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
  18           tcp dport ssh counter accept comment "SSH"
  19           udp dport 60000-61000 counter accept comment "Mosh"
  20           tcp dport 5201 counter accept comment "iperf"
  21         }
  22         chain input-net {
  23           jump check-public
  24         }
  25         chain input-intra {
  26           tcp dport ssh counter accept comment "SSH"
  27           udp dport 60000-61000 counter accept comment "Mosh"
  28           tcp dport 5201 counter accept comment "iperf"
  29         }
  30
  31         chain output-lan {
  32           tcp dport { ssh, 2222 } counter accept comment "SSH"
  33           counter accept
  34           tcp dport 5201 counter accept comment "iperf"
  35         }
  36         chain output-net {
  37           tcp dport { ssh, 2222 } counter accept comment "SSH"
  38           udp dport 60000-61000 counter accept comment "Mosh"
  39           tcp dport { http, https } counter accept comment "HTTP"
  40           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  41           tcp dport git counter accept comment "Git"
  42           tcp dport 5201 counter accept comment "iperf"
  43         }
  44         chain output-intra {
  45           tcp dport { ssh, 2222 } counter accept comment "SSH"
  46           udp dport 60001-60010 counter accept comment "Mosh"
  47           tcp dport { http, https } counter accept comment "HTTP"
  48           tcp dport git counter accept comment "git"
  49           #tcp dport 4713 counter accept comment "pulseaudio"
  50           tcp dport 5201 counter accept comment "iperf"
  51         }
  52       }
  53     '';
  54   };
  55 }