]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/patate/networking/nftables.nix
nix: use builtins.path to avoid changes when inputs.self changes
[julm/julm-nix.git] / hosts / patate / networking / nftables.nix
1 { config, ... }:
2 let
3 inherit (config.users) users;
4 in
5 {
6 networking.firewall.enable = false;
7 security.lockKernelModules = false;
8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
9 # echo -e "$(nix eval hosts.courge.config.networking.nftables.ruleset)"
10 # nft list ruleset
11 networking.nftables = {
12 enable = true;
13 /*
14 preCheckRuleset = ''
15 sed -i ruleset.conf \
16 -e 's/ip daddr losurdo.wg//'
17 '';
18 */
19 ruleset = ''
20 table inet filter {
21 chain input-intra {
22 tcp dport { ssh, 2222 } counter accept comment "SSH"
23 udp dport 60001-60010 counter accept comment "Mosh"
24 tcp dport 5201 counter accept comment "iperf"
25 }
26 chain input-lan {
27 tcp dport { ssh, 2222 } counter accept comment "SSH"
28 udp dport 60001-60010 counter accept comment "Mosh"
29 }
30 chain input-net {
31 }
32
33 chain output-intra {
34 tcp dport { ssh, 2222 } counter accept comment "SSH"
35 udp dport 60001-60100 counter accept comment "Mosh"
36 tcp dport { http, https } counter accept comment "HTTP"
37 tcp dport git counter accept comment "Git"
38 tcp dport 5201 counter accept comment "iperf"
39 }
40 chain output-lan {
41 tcp dport { ssh, 2222 } counter accept comment "SSH"
42 udp dport 60001-60100 counter accept comment "Mosh"
43 tcp dport bootps counter accept comment "DHCP"
44 tcp dport { 4444, 5555 } counter accept
45 tcp dport 5201 counter accept comment "iperf"
46 }
47 chain output-net {
48 tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
49 udp dport 60001-60100 counter accept comment "Mosh"
50 udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
51 tcp dport { http, https } counter accept comment "HTTP"
52 tcp dport git counter accept comment "Git"
53 tcp dport imaps counter accept comment "IMAPS"
54 tcp dport submission counter accept comment "SMTP"
55 tcp dport submissions counter accept comment "SMTPS"
56 tcp dport xmpp-client counter accept comment "XMPP client"
57 tcp dport 5223 counter accept comment "XMPP client direct TLS"
58 tcp dport 5281 counter accept comment "XMPP HTTPS"
59 tcp dport nntps counter accept comment "NNTPS"
60 tcp dport 5201 counter accept comment "iperf"
61 }
62 }
63 '';
64 };
65 }