]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/nftables.nix
nix: use directly nixUnstable
[sourcephile-nix.git] / machines / losurdo / networking / nftables.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) networking;
6 inherit (config.users) users groups;
7 in
8 {
9 networking.firewall.enable = false;
10 security.lockKernelModules = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
13 networking.nftables = {
14 enable = true;
15 ruleset = lib.mkBefore ''
16 table inet filter {
17 include "${../../../var/nftables/filter.txt}"
18 chain net2fw {
19 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
20 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
21 #jump non-internet
22
23 #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
24
25 # Some .nix append rules here with: add rule inet filter net2fw ...
26 }
27 chain fw2net {
28 tcp dport { 80, 443 } counter accept comment "HTTP"
29 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
30 tcp dport 1965 counter accept comment "Gemini"
31 tcp dport 9418 counter accept comment "Git"
32
33 # Some .nix append rules here with: add rule inet filter fw2net ...
34 }
35 chain wifi2fw {
36 # Some .nix append rules here with: add rule inet filter wifi2fw ...
37 }
38 chain fw2wifi {
39 # Some .nix append rules here with: add rule inet filter fw2wifi ...
40 }
41 chain fwd-wifi {
42 # Some .nix append rules here with: add rule inet filter fwd-wifi ...
43 }
44 chain intra2fw {
45 # Some .nix append rules here with: add rule inet filter intra2fw ...
46 }
47 chain fw2intra {
48 # Some .nix append rules here with: add rule inet filter fw2intra ...
49 }
50 chain fwd-intra {
51 # Some .nix append rules here with: add rule inet filter fwd-intra ...
52 }
53 chain extra2fw {
54 # Some .nix append rules here with: add rule inet filter extra2fw ...
55 }
56
57 chain input {
58 type filter hook input priority filter
59 policy drop
60
61 iifname lo accept
62
63 jump check-tcp
64 ct state { established, related } accept
65 jump accept-connectivity-input
66 ct state invalid counter drop
67
68 # admin services
69 tcp dport 22 counter accept comment "SSH"
70 udp dport 60000-61000 counter accept comment "Mosh"
71
72 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
73 }
74 chain forward {
75 type filter hook forward priority filter
76 policy drop
77
78 ct state { related, established } accept
79 jump accept-connectivity-forward
80 }
81 chain output {
82 type filter hook output priority filter
83 policy drop
84
85 oifname lo accept
86
87 ct state { related, established } accept
88 jump accept-connectivity-output
89
90 tcp dport 22 counter accept comment "SSH"
91
92 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
93 }
94 }
95 table inet nat {
96 chain prerouting {
97 type nat hook prerouting priority filter
98 policy accept
99 }
100 chain postrouting {
101 type nat hook postrouting priority srcnat
102 policy accept
103 }
104 }
105 '';
106 };
107 }