{ pkgs, lib, config, hosts, ... }:
let
inherit (config.users) users;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
# echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
# nft list ruleset
networking.nftables = {
enable = true;
ruleset = ''
table inet filter {
chain input-lan {
meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
tcp dport ssh counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
tcp dport 5201 counter accept comment "iperf"
}
chain input-net {
jump check-public
}
chain input-intra {
tcp dport ssh counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
tcp dport 5201 counter accept comment "iperf"
}
chain output-lan {
tcp dport { ssh, 2222 } counter accept comment "SSH"
counter accept
tcp dport 5201 counter accept comment "iperf"
}
chain output-net {
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
tcp dport { http, https } counter accept comment "HTTP"
udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
tcp dport git counter accept comment "Git"
tcp dport 5201 counter accept comment "iperf"
}
chain output-intra {
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60001-60010 counter accept comment "Mosh"
tcp dport { http, https } counter accept comment "HTTP"
tcp dport git counter accept comment "git"
#tcp dport 4713 counter accept comment "pulseaudio"
tcp dport 5201 counter accept comment "iperf"
}
}
'';
};
}