]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/nftables.nix
discourse: prepare postfix, postgresql and redis
[sourcephile-nix.git] / hosts / losurdo / networking / nftables.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) networking;
6 inherit (config.users) users groups;
7 in
8 {
9 networking.firewall.enable = false;
10 security.lockKernelModules = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
13 networking.nftables = {
14 enable = true;
15 ruleset = lib.mkBefore (''
16 table inet filter {
17 include "${../../../var/nftables/filter.txt}"
18 # A set containing the udp port(s) to which SSDP replies are allowed.
19 set ssdp_out {
20 type inet_service
21 timeout 5s
22 }
23 chain net2fw {
24 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
25 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
26 #jump non-internet
27
28 #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
29
30 # Some .nix append rules here with: add rule inet filter net2fw ...
31 }
32 chain fw2net {
33 tcp dport { 80, 443 } counter accept comment "HTTP"
34 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
35 tcp dport 1965 counter accept comment "Gemini"
36 tcp dport 9418 counter accept comment "Git"
37
38 # Some .nix append rules here with: add rule inet filter fw2net ...
39 }
40 chain wifi2fw {
41 # Some .nix append rules here with: add rule inet filter wifi2fw ...
42 }
43 chain fw2wifi {
44 # Some .nix append rules here with: add rule inet filter fw2wifi ...
45 }
46 chain fwd-wifi {
47 # Some .nix append rules here with: add rule inet filter fwd-wifi ...
48 }
49 chain intra2fw {
50 # Some .nix append rules here with: add rule inet filter intra2fw ...
51 }
52 chain fw2intra {
53 # Some .nix append rules here with: add rule inet filter fw2intra ...
54 }
55 chain fwd-intra {
56 # Some .nix append rules here with: add rule inet filter fwd-intra ...
57 }
58 chain extra2fw {
59 # Some .nix append rules here with: add rule inet filter extra2fw ...
60 }
61
62 chain input {
63 type filter hook input priority filter
64 policy drop
65
66 iifname lo accept
67
68 jump check-tcp
69 ct state { established, related } accept
70 jump accept-connectivity-input
71 ct state invalid counter drop
72
73 # admin services
74 tcp dport 22 counter accept comment "SSH"
75 udp dport 60000-61000 counter accept comment "Mosh"
76
77 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
78 }
79 chain forward {
80 type filter hook forward priority filter
81 policy drop
82
83 ct state { related, established } accept
84 jump accept-connectivity-forward
85 }
86 chain output {
87 type filter hook output priority filter
88 policy drop
89
90 oifname lo accept
91
92 ct state { related, established } accept
93 jump accept-connectivity-output
94
95 tcp dport 22 counter accept comment "SSH"
96
97 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
98 }
99 }
100 table inet nat {
101 chain prerouting {
102 type nat hook prerouting priority filter
103 policy accept
104 }
105 chain postrouting {
106 type nat hook postrouting priority srcnat
107 policy accept
108 }
109 }
110 '' + lib.optionalString (config.services.upnpc.redirections != []) (''
111 # Create a rule for accepting any SSDP packets going to a remembered port.
112 add rule inet filter net2fw udp dport @ssdp_out \
113 counter accept comment "SSDP answer"
114 add rule inet filter fw2net \
115 skuid {${users.upnpc.name},${users.nsupdate.name}} \
116 tcp dport 1900 \
117 counter accept \
118 comment "SSDP automatic opening"
119 add rule inet filter fw2net \
120 skuid {${users.upnpc.name},${users.nsupdate.name}} \
121 ip daddr 239.255.255.250 udp dport 1900 \
122 set add udp sport @ssdp_out \
123 comment "SSDP automatic opening"
124 add rule inet filter fw2net \
125 skuid {${users.upnpc.name},${users.nsupdate.name}} \
126 ip daddr 239.255.255.250 udp dport 1900 \
127 counter accept comment "SSDP"
128 '' + lib.optionalString config.networking.enableIPv6 ''
129 add rule inet filter fw2net \
130 skuid {${users.upnpc.name},${users.nsupdate.name}} \
131 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
132 set add udp sport @ssdp_out comment "SSDP automatic opening"
133 add rule inet filter fw2net \
134 skuid {${users.upnpc.name},${users.nsupdate.name}} \
135 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
136 counter accept comment "SSDP"
137 '')
138 );
139 };
140 }