]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/nftables.nix
prosody: announce tmp.sourcephile.fr for HTTP uploads
[sourcephile-nix.git] / machines / losurdo / networking / nftables.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 in
7 {
8 networking.firewall.enable = false;
9 security.lockKernelModules = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 # echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
12 # nft list ruleset
13 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
14 networking.nftables = {
15 enable = true;
16 ruleset = lib.mkBefore ''
17 table inet filter {
18 chain net2fw {
19 # Some .nix append rules here with: add rule inet filter net2fw ...
20 }
21 chain fw2net {
22 tcp dport {80,443} counter accept comment "HTTP"
23 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
24 tcp dport 9418 counter accept comment "Git"
25
26 # Some .nix append rules here with: add rule inet filter fw2net ...
27 }
28 chain intra2fw {
29 # Some .nix append rules here with: add rule inet filter intra2fw ...
30 }
31 chain fw2intra {
32 # Some .nix append rules here with: add rule inet filter fw2intra ...
33 }
34 chain fwd-intra {
35 # Some .nix append rules here with: add rule inet filter fwd-intra ...
36 }
37
38 chain input {
39 type filter hook input priority 0
40 policy drop
41
42 iifname lo accept
43
44 # accept traffic already established
45 ct state {established, related} accept
46 ct state invalid drop
47
48 # admin services
49 tcp dport 22 counter accept comment "SSH"
50 udp dport 60000-61000 counter accept comment "Mosh"
51
52 # ICMP
53 ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
54 ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
55
56 # allow "ping"
57 ip6 nexthdr icmpv6 icmpv6 type echo-request accept
58 ip protocol icmp icmp type echo-request accept
59
60 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
61 }
62 chain output {
63 type filter hook output priority 0
64 policy drop
65
66 oifname lo accept
67
68 ct state {related,established} accept
69 ct state invalid drop
70
71 icmp type echo-request counter accept comment "Ping"
72 tcp dport 22 counter accept comment "SSH"
73
74 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
75 }
76 chain forward {
77 type filter hook forward priority 0
78 policy drop
79 }
80 }
81 '';
82 };
83 }