]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking/nftables.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nan2gua1: syncoid: enable
[julm/julm-nix.git] / hosts / aubergine / networking / nftables.nix
1 { config, ... }:
2 let
3 inherit (config.users) users;
4 in
5 {
6 networking.firewall.enable = false;
7 security.lockKernelModules = false;
8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
9 # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
10 # nft list ruleset
11 networking.nftables = {
12 enable = true;
13 ruleset = ''
14 table inet filter {
15 chain input-lan {
16 tcp dport ssh counter accept comment "SSH"
17 udp dport 60000-61000 counter accept comment "Mosh"
18 tcp dport 5201 counter accept comment "iperf"
19 }
20 chain input-net {
21 jump check-public
22 }
23 chain input-intra {
24 tcp dport ssh counter accept comment "SSH"
25 udp dport 60000-61000 counter accept comment "Mosh"
26 tcp dport 5201 counter accept comment "iperf"
27 }
28
29 chain output-lan {
30 tcp dport { ssh, 2222 } counter accept comment "SSH"
31 tcp dport 5201 counter accept comment "iperf"
32 }
33 chain output-net {
34 tcp dport { ssh, 2222 } counter accept comment "SSH"
35 udp dport 60000-61000 counter accept comment "Mosh"
36 tcp dport { http, https } counter accept comment "HTTP"
37 tcp dport git counter accept comment "Git"
38 tcp dport 5201 counter accept comment "iperf"
39 }
40 chain output-intra {
41 tcp dport { ssh, 2222 } counter accept comment "SSH"
42 udp dport 60001-60010 counter accept comment "Mosh"
43 tcp dport { http, https } counter accept comment "HTTP"
44 tcp dport git counter accept comment "git"
45 #tcp dport 4713 counter accept comment "pulseaudio"
46 tcp dport 5201 counter accept comment "iperf"
47 }
48 }
49 '';
50 };
51 }
julm's NixOS and home-manager configs