]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/nftables.nix
losurdo: gitolite: update
[sourcephile-nix.git] / hosts / losurdo / networking / nftables.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) networking;
6 inherit (config.users) users groups;
7 in
8 {
9 networking.firewall.enable = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
12 networking.nftables = {
13 enable = true;
14 ruleset = lib.mkBefore ''
15 table inet filter {
16 include "${../../../networking/nftables/filter.txt}"
17 # A set containing the udp port(s) to which SSDP replies are allowed.
18 set ssdp_out {
19 type inet_service
20 timeout 5s
21 }
22 chain net2fw {
23 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
24 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
25 #jump non-internet
26
27 #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
28
29 # Some .nix append rules here with: add rule inet filter net2fw ...
30 }
31 chain fw2net {
32 tcp dport { 80, 443 } counter accept comment "HTTP"
33 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
34 tcp dport 1965 counter accept comment "Gemini"
35 tcp dport 9418 counter accept comment "Git"
36
37 # Some .nix append rules here with: add rule inet filter fw2net ...
38 }
39
40 chain input {
41 type filter hook input priority filter
42 policy drop
43
44 iifname lo accept
45
46 jump check-tcp
47 ct state { established, related } accept
48 jump accept-connectivity-input
49 ct state invalid counter drop
50
51 # admin services
52 tcp dport 22 counter accept comment "SSH"
53 udp dport 60000-61000 counter accept comment "Mosh"
54
55 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
56 }
57 chain forward {
58 type filter hook forward priority filter
59 policy drop
60
61 #tcp flags syn tcp option maxseg size set rt mtu
62 ct state { related, established } accept
63 jump accept-connectivity-forward
64 }
65 chain output {
66 type filter hook output priority filter
67 policy drop
68
69 oifname lo accept
70
71 tcp flags syn tcp option maxseg size set rt mtu
72
73 ct state { related, established } accept
74 jump accept-connectivity-output
75
76 tcp dport 22 counter accept comment "SSH"
77
78 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
79 }
80 }
81 table inet nat {
82 chain prerouting {
83 type nat hook prerouting priority filter
84 policy accept
85 }
86 chain postrouting {
87 type nat hook postrouting priority srcnat
88 policy accept
89 }
90 }
91 '';
92 };
93 }