machines/losurdo/networking/nftables.nix

   1 { pkgs, lib, config, machines, ... }:
   2 let
   3   inherit (builtins) hasAttr readFile;
   4   inherit (pkgs.lib) unlinesAttrs;
   5   inherit (config) networking;
   6   inherit (config.users) users groups;
   7 in
   8 {
   9 networking.firewall.enable = false;
  10 security.lockKernelModules = false;
  11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
  13 networking.nftables = {
  14   enable = true;
  15   ruleset = lib.mkBefore ''
  16     table inet filter {
  17       include "${../../../var/nftables/filter.txt}"
  18       chain net2fw {
  19         #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
  20         #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
  21         #jump non-internet
  22
  23         #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
  24
  25         # Some .nix append rules here with: add rule inet filter net2fw ...
  26       }
  27       chain fw2net {
  28         tcp dport { 80, 443 } counter accept comment "HTTP"
  29         udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  30         tcp dport 1965 counter accept comment "Gemini"
  31         tcp dport 9418 counter accept comment "Git"
  32
  33         # Some .nix append rules here with: add rule inet filter fw2net ...
  34       }
  35       chain wifi2fw {
  36         # Some .nix append rules here with: add rule inet filter wifi2fw ...
  37       }
  38       chain fw2wifi {
  39         # Some .nix append rules here with: add rule inet filter fw2wifi ...
  40       }
  41       chain fwd-wifi {
  42         # Some .nix append rules here with: add rule inet filter fwd-wifi ...
  43       }
  44       chain intra2fw {
  45         # Some .nix append rules here with: add rule inet filter intra2fw ...
  46       }
  47       chain fw2intra {
  48         # Some .nix append rules here with: add rule inet filter fw2intra ...
  49       }
  50       chain fwd-intra {
  51         # Some .nix append rules here with: add rule inet filter fwd-intra ...
  52       }
  53       chain extra2fw {
  54         # Some .nix append rules here with: add rule inet filter extra2fw ...
  55       }
  56
  57       chain input {
  58         type filter hook input priority filter
  59         policy drop
  60
  61         iifname lo accept
  62
  63         jump check-tcp
  64         ct state { established, related } accept
  65         jump accept-connectivity-input
  66         ct state invalid counter drop
  67
  68         # admin services
  69         tcp dport 22 counter accept comment "SSH"
  70         udp dport 60000-61000 counter accept comment "Mosh"
  71
  72         # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
  73       }
  74       chain forward {
  75         type filter hook forward priority filter
  76         policy drop
  77
  78         ct state { related, established } accept
  79         jump accept-connectivity-forward
  80       }
  81       chain output {
  82         type filter hook output priority filter
  83         policy drop
  84
  85         oifname lo accept
  86
  87         ct state { related, established } accept
  88         jump accept-connectivity-output
  89
  90         tcp dport 22 counter accept comment "SSH"
  91
  92         # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
  93       }
  94     }
  95     table inet nat {
  96       chain prerouting {
  97         type nat hook prerouting priority filter
  98         policy accept
  99       }
 100       chain postrouting {
 101         type nat hook postrouting priority srcnat
 102         policy accept
 103       }
 104     }
 105   '';
 106 };
 107 }