# nft list ruleset
networking.nftables = {
enable = true;
- ruleset = lib.mkBefore ''
+ ruleset = ''
table inet filter {
- include "${../../../nixos/profiles/nftables/filter.txt}"
- chain net2fw {
- jump check-public
- # Some .nix append rules here with: add rule inet filter net2fw ...
- }
- chain fw2net {
- tcp dport { 80, 443 } counter accept comment "HTTP"
- udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
- meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
- tcp dport 9418 counter accept comment "Git"
-
- # Some .nix append rules here with: add rule inet filter fw2net ...
- }
- chain lan2fw {
- # Some .nix append rules here with: add rule inet filter lan2fw ...
- }
- chain fw2lan {
- accept
- # Some .nix append rules here with: add rule inet filter fw2lan ...
- }
- chain intra2fw {
- # Some .nix append rules here with: add rule inet filter intra2fw ...
+ chain input-lan {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+ meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
+ tcp dport ssh counter accept comment "SSH"
+ udp dport 60000-61000 counter accept comment "Mosh"
+ tcp dport 5201 counter accept comment "iperf"
}
- chain fw2intra {
- # Some .nix append rules here with: add rule inet filter fw2intra ...
+ chain input-net {
+ jump check-public
}
-
- chain input {
- type filter hook input priority 0
- policy drop
-
- iifname lo accept
-
- jump check-tcp
- jump check-ping
- jump check-broadcast
-
- # accept traffic already established
- ct state { established, related } accept
- jump accept-connectivity-input
- ct state invalid counter drop
-
- # admin services
- tcp dport 22 counter accept comment "SSH"
+ chain input-intra {
+ tcp dport ssh counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
-
- # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
+ tcp dport 5201 counter accept comment "iperf"
}
- chain output {
- type filter hook output priority 0
- policy drop
-
- oifname lo accept
-
- tcp flags syn tcp option maxseg size set rt mtu
-
- ct state { established, related } accept
- jump accept-connectivity-output
- tcp dport 22 counter accept comment "SSH"
-
- # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
- }
- chain forward {
- type filter hook forward priority 0
- policy drop
- }
- }
- table inet nat {
- chain prerouting {
- type nat hook prerouting priority filter
- policy accept
+ chain output-lan {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ counter accept
+ tcp dport 5201 counter accept comment "iperf"
}
- chain postrouting {
- type nat hook postrouting priority srcnat
- policy accept
+ chain output-net {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ udp dport 60000-61000 counter accept comment "Mosh"
+ tcp dport { http, https } counter accept comment "HTTP"
+ udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
+ meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
+ tcp dport git counter accept comment "Git"
+ tcp dport 5201 counter accept comment "iperf"
+ }
+ chain output-intra {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ udp dport 60001-60010 counter accept comment "Mosh"
+ tcp dport { http, https } counter accept comment "HTTP"
+ tcp dport git counter accept comment "git"
+ #tcp dport 4713 counter accept comment "pulseaudio"
+ tcp dport 5201 counter accept comment "iperf"
}
}
'';
sourcephile / git / julm / julm-nix.git / blobdiff