]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/nftables.nix
unbound: no longer use nixos/profiles
[sourcephile-nix.git] / machines / losurdo / networking / nftables.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) networking;
6 inherit (config.users) users groups;
7 in
8 {
9 networking.firewall.enable = false;
10 security.lockKernelModules = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
13 networking.nftables = {
14 enable = true;
15 ruleset = lib.mkBefore ''
16 table inet filter {
17 # A set containing the udp port(s) to which SSDP replies are allowed.
18 set ssdp_out {
19 type inet_service
20 timeout 5s
21 }
22 set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
23 set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
24 chain block {
25 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "block: "
26 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "block: "
27 counter drop
28 }
29 chain ping-flood {
30 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: "
31 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "ping-flood: "
32 counter drop
33 }
34 chain smurf {
35 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "smurf: "
36 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "smurf: "
37 counter drop
38 }
39 chain bogus-tcp {
40 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
41 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
42 counter drop
43 }
44 chain syn-flood {
45 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: "
46 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "syn-flood: "
47 counter drop
48 }
49 chain check-tcp {
50 tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
51 tcp flags & (ack|fin) == fin counter goto bogus-tcp
52 tcp flags & (ack|psh) == psh counter goto bogus-tcp
53 tcp flags & (ack|urg) == urg counter goto bogus-tcp
54 tcp flags & (fin|ack) == fin counter goto bogus-tcp
55 tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
56 tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
57 tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
58 tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
59 tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
60 tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
61 tcp flags == (fin|urg|psh) counter goto bogus-tcp
62 tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
63 tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
64
65 ct state new tcp flags != syn counter goto bogus-tcp
66 tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
67 tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
68 }
69 chain net2fw {
70 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
71 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
72 #jump non-internet
73
74 #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
75
76 # Some .nix append rules here with: add rule inet filter net2fw ...
77 }
78 chain fw2net {
79 tcp dport { 80, 443 } counter accept comment "HTTP"
80 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
81 tcp dport 1965 counter accept comment "Gemini"
82 tcp dport 9418 counter accept comment "Git"
83
84 # Some .nix append rules here with: add rule inet filter fw2net ...
85 }
86 chain wifi2fw {
87 # Some .nix append rules here with: add rule inet filter wifi2fw ...
88 }
89 chain fw2wifi {
90 # Some .nix append rules here with: add rule inet filter fw2wifi ...
91 }
92 chain fwd-wifi {
93 # Some .nix append rules here with: add rule inet filter fwd-wifi ...
94 }
95 chain intra2fw {
96 # Some .nix append rules here with: add rule inet filter intra2fw ...
97 }
98 chain fw2intra {
99 # Some .nix append rules here with: add rule inet filter fw2intra ...
100 }
101 chain fwd-intra {
102 # Some .nix append rules here with: add rule inet filter fwd-intra ...
103 }
104 chain extra2fw {
105 # Some .nix append rules here with: add rule inet filter extra2fw ...
106 }
107 chain accept-icmpv6 {
108 # Traffic That Must Not Be Dropped
109 # https://tools.ietf.org/html/rfc4890#section-4.4.1
110 icmpv6 type destination-unreachable counter accept
111 icmpv6 type packet-too-big counter accept
112 icmpv6 type time-exceeded counter accept
113 icmpv6 type parameter-problem counter accept
114
115 # Address Configuration and Router Selection messages
116 # (must be received with hop limit = 255)
117 icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
118 ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
119 icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
120 icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
121 icmpv6 type nd-redirect ip6 hoplimit 255 log level warn prefix "icmpv6: nd-redirect: " counter drop
122 icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
123 icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
124
125 # Link-local multicast receiver notification messages
126 # (must have link-local source address)
127 icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
128 icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
129 icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
130 # https://tools.ietf.org/html/rfc3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6
131 icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
132
133 # SEND Certificate Path notification messages
134 # (must be received with hop limit = 255)
135 icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
136 icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
137
138 # Multicast Router Discovery messages
139 # (must have link-local source address and hop limit = 1)
140 icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
141 icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
142 icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
143 }
144
145 chain input {
146 type filter hook input priority filter
147 policy drop
148
149 iifname lo accept
150
151 jump check-tcp
152
153 ct state { established, related } accept
154
155 # Connectivity checking messages
156 # (multicast) ping
157 ip protocol icmp icmp type echo-reply counter accept
158
159 ${lib.optionalString networking.enableIPv6 ''
160 # drop packets with rh0 headers
161 rt type 0 jump block
162 rt type 0 jump block
163 rt type 0 jump block
164
165 # (multicast) ping
166 ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
167
168 #ip6 daddr fe80::/64 udp dport 546 counter accept comment "DHCPv6"
169 ''}
170
171 ct state invalid counter drop
172
173 ip protocol icmp icmp type destination-unreachable counter accept
174 ip protocol icmp icmp type time-exceeded counter accept
175 ip protocol icmp icmp type parameter-problem counter accept
176 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
177 ip protocol icmp icmp type echo-request counter accept
178 # echo-reply is handled before invalid packets to allow multicast ping
179 # which do not have an associated connection.
180
181 #ip daddr 224.0.0.251 udp dport 5353 counter accept comment "mDNS"
182 #ip saddr 0.0.0.0/32 counter accept comment "DHCP"
183 #ip udp sport 67 udp dport 68 counter accept comment "DHCP"
184
185 ${lib.optionalString networking.enableIPv6 ''
186 ip6 nexthdr ipv6-icmp jump accept-icmpv6
187
188 # Connectivity checking messages
189 icmpv6 type echo-request counter accept
190 # echo-reply is handled before invalid because of multicast
191
192 ip6 nexthdr ipv6-icmp log level err prefix "net2fw: icmpv6: catch all: " counter reject
193
194 ip6 daddr ff02::fb udp dport 5353 counter accept comment "mDNS"
195 ''}
196
197 ip saddr 224.0.0.0/4 counter goto smurf
198 fib saddr type broadcast counter goto smurf
199
200 # admin services
201 tcp dport 22 counter accept comment "SSH"
202 udp dport 60000-61000 counter accept comment "Mosh"
203
204 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
205 }
206 chain forward {
207 type filter hook forward priority filter
208 policy drop
209
210 ct state { related, established } accept
211
212 ip protocol icmp icmp type destination-unreachable counter accept
213 ip protocol icmp icmp type time-exceeded counter accept
214 ip protocol icmp icmp type parameter-problem counter accept
215 ip protocol icmp icmp type echo-request counter accept
216
217 ${lib.optionalString networking.enableIPv6 ''
218 # Traffic That Must Not Be Dropped
219 # https://tools.ietf.org/html/rfc4890#section-4.3.1
220 ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
221 ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
222 ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
223 ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
224
225 # Connectivity checking messages
226 ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
227 ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
228
229 # Traffic That Normally Should Not Be Dropped
230 # https://tools.ietf.org/html/rfc4890#section-4.3.2
231 ip6 nexthdr ipv6-icmp icmpv6 type 144 counter accept comment "home-agent-address-discovery-request"
232 ip6 nexthdr ipv6-icmp icmpv6 type 145 counter accept comment "home-agent-address-discovery-reply"
233 ip6 nexthdr ipv6-icmp icmpv6 type 146 counter accept comment "mobile-prefix-solicitation"
234 ip6 nexthdr ipv6-icmp icmpv6 type 147 counter accept comment "mobile-prefix-advertisement"
235 ''}
236 }
237 chain output {
238 type filter hook output priority filter
239 policy drop
240
241 oifname lo accept
242
243 ct state { related, established } accept
244
245 ip protocol icmp counter accept
246 meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
247
248 ${lib.optionalString networking.enableIPv6 ''
249 ip6 nexthdr ipv6-icmp jump accept-icmpv6
250
251 # Connectivity checking messages
252 ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
253 ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
254 ip6 nexthdr ipv6-icmp log level err prefix "fw2net: icmpv6: catch all: " counter reject
255
256 ip6 daddr ff02::1:2/64 udp dport 547 counter accept comment "DHCPv6"
257 ''}
258
259 ct state invalid log level warn prefix "fw2net: invalid: " counter drop
260
261 tcp dport 22 counter accept comment "SSH"
262
263 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
264 }
265 }
266 table inet nat {
267 chain prerouting {
268 type nat hook prerouting priority filter
269 policy accept
270 }
271 chain postrouting {
272 type nat hook postrouting priority srcnat
273 policy accept
274 }
275 }
276 '';
277 };
278 }