servers/losurdo/networking/nftables.nix

   1 { pkgs, lib, config, servers, ... }:
   2 let
   3   inherit (builtins) hasAttr readFile;
   4   inherit (pkgs.lib) unlinesAttrs;
   5   inherit (config.users) users groups;
   6 in
   7 {
   8 networking.firewall.enable = false;
   9 security.lockKernelModules = false;
  10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  11 # echo -e "$(nix eval servers.losurdo.config.networking.nftables.ruleset)"
  12 # nft list ruleset
  13 networking.nftables = {
  14   enable = true;
  15   ruleset = lib.mkBefore ''
  16     table inet filter {
  17       chain net2fw {
  18         udp dport 53 counter accept comment "DNS"
  19         # Some .nix append rules here with: add rule inet filter net2fw ...
  20       }
  21       chain fw2net {
  22         udp dport 53 counter accept comment "DNS"
  23         tcp dport {80,443} counter accept comment "HTTP"
  24         udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  25         tcp dport 9418 counter accept comment "Git"
  26
  27         # Some .nix append rules here with: add rule inet filter fw2net ...
  28       }
  29
  30       chain input {
  31         type filter hook input priority 0
  32         policy drop
  33
  34         iifname lo accept
  35
  36         # accept traffic already established
  37         ct state {established, related} accept
  38         ct state invalid drop
  39
  40         # admin services
  41         tcp dport 22 counter accept comment "SSH"
  42         udp dport 60000-61000 counter accept comment "Mosh"
  43
  44         # ICMP
  45         ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
  46         ip protocol icmp   icmp   type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
  47
  48         # allow "ping"
  49         ip6 nexthdr icmpv6 icmpv6 type echo-request accept
  50         ip protocol icmp   icmp   type echo-request accept
  51
  52         # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
  53       }
  54       chain output {
  55         type filter hook output priority 0
  56         policy drop
  57
  58         oifname lo accept
  59
  60         ct state {related,established} accept
  61         ct state invalid drop
  62
  63         icmp type echo-request counter accept comment "Ping"
  64         tcp dport 22 counter accept comment "SSH"
  65
  66         # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
  67       }
  68       chain forward {
  69         type filter hook forward priority 0
  70         policy drop
  71         drop
  72       }
  73     }
  74   '';
  75 };
  76 }