]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/networking/nftables.nix
public-inbox: update
[sourcephile-nix.git] / hosts / mermet / networking / nftables.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 in
7 {
8 networking.firewall.enable = false;
9 security.lockKernelModules = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 # echo -e "$(nix eval hosts.losurdo.config.networking.nftables.ruleset)"
12 # nft list ruleset
13 networking.nftables = {
14 enable = true;
15 ruleset = lib.mkBefore ''
16 table inet filter {
17 include "${../../../networking/nftables/filter.txt}"
18 chain net2fw {
19 jump check-public
20 # Some .nix append rules here with: add rule inet filter net2fw ...
21 }
22 chain fw2net {
23 tcp dport { 80, 443 } counter accept comment "HTTP"
24 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
25 tcp dport 9418 counter accept comment "Git"
26
27 # Some .nix append rules here with: add rule inet filter fw2net ...
28 }
29 chain lan2fw {
30 accept
31 # Some .nix append rules here with: add rule inet filter lan2fw ...
32 }
33 chain fw2lan {
34 accept
35 # Some .nix append rules here with: add rule inet filter fw2lan ...
36 }
37 chain intra2fw {
38 # Some .nix append rules here with: add rule inet filter intra2fw ...
39 }
40 chain fw2intra {
41 # Some .nix append rules here with: add rule inet filter fw2intra ...
42 }
43
44 chain input {
45 type filter hook input priority 0
46 policy drop
47
48 iifname lo accept
49
50 jump check-tcp
51 jump check-ping
52 jump check-broadcast
53
54 # accept traffic already established
55 ct state { established, related } accept
56 jump accept-connectivity-input
57 jump check-broadcast
58 ct state invalid drop
59
60 # admin services
61 tcp dport 22 counter accept comment "SSH"
62 udp dport 60000-61000 counter accept comment "Mosh"
63
64 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
65 }
66 chain output {
67 type filter hook output priority 0
68 policy drop
69
70 oifname lo accept
71
72 tcp flags syn tcp option maxseg size set rt mtu
73
74 ct state { established, related } accept
75 jump accept-connectivity-output
76
77 tcp dport 22 counter accept comment "SSH"
78
79 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
80 }
81 chain forward {
82 type filter hook forward priority 0
83 policy drop
84 drop
85 }
86 }
87 '';
88 };
89 }