hosts/losurdo/networking/nftables.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr readFile;
   4   inherit (pkgs.lib) unlinesAttrs;
   5   inherit (config) networking;
   6   inherit (config.users) users groups;
   7 in
   8 {
   9 networking.firewall.enable = false;
  10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  11 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
  12 networking.nftables = {
  13   enable = true;
  14   ruleset = lib.mkBefore (''
  15     table inet filter {
  16       include "${../../../networking/nftables/filter.txt}"
  17       # A set containing the udp port(s) to which SSDP replies are allowed.
  18       set ssdp_out {
  19         type inet_service
  20         timeout 5s
  21       }
  22       chain net2fw {
  23         #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
  24         #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
  25         #jump non-internet
  26
  27         #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
  28
  29         # Some .nix append rules here with: add rule inet filter net2fw ...
  30       }
  31       chain fw2net {
  32         tcp dport { 80, 443 } counter accept comment "HTTP"
  33         udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  34         tcp dport 1965 counter accept comment "Gemini"
  35         tcp dport 9418 counter accept comment "Git"
  36
  37         # Some .nix append rules here with: add rule inet filter fw2net ...
  38       }
  39       chain wifi2fw {
  40         # Some .nix append rules here with: add rule inet filter wifi2fw ...
  41       }
  42       chain fw2wifi {
  43         # Some .nix append rules here with: add rule inet filter fw2wifi ...
  44       }
  45       chain fwd-wifi {
  46         # Some .nix append rules here with: add rule inet filter fwd-wifi ...
  47       }
  48       chain intra2fw {
  49         # Some .nix append rules here with: add rule inet filter intra2fw ...
  50       }
  51       chain fw2intra {
  52         # Some .nix append rules here with: add rule inet filter fw2intra ...
  53       }
  54       chain fwd-intra {
  55         # Some .nix append rules here with: add rule inet filter fwd-intra ...
  56       }
  57       chain extra2fw {
  58         # Some .nix append rules here with: add rule inet filter extra2fw ...
  59       }
  60
  61       chain input {
  62         type filter hook input priority filter
  63         policy drop
  64
  65         iifname lo accept
  66
  67         jump check-tcp
  68         ct state { established, related } accept
  69         jump accept-connectivity-input
  70         ct state invalid counter drop
  71
  72         # admin services
  73         tcp dport 22 counter accept comment "SSH"
  74         udp dport 60000-61000 counter accept comment "Mosh"
  75
  76         # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
  77       }
  78       chain forward {
  79         type filter hook forward priority filter
  80         policy drop
  81
  82         ct state { related, established } accept
  83         jump accept-connectivity-forward
  84       }
  85       chain output {
  86         type filter hook output priority filter
  87         policy drop
  88
  89         oifname lo accept
  90
  91         ct state { related, established } accept
  92         jump accept-connectivity-output
  93
  94         tcp dport 22 counter accept comment "SSH"
  95
  96         # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
  97       }
  98     }
  99     table inet nat {
 100       chain prerouting {
 101         type nat hook prerouting priority filter
 102         policy accept
 103       }
 104       chain postrouting {
 105         type nat hook postrouting priority srcnat
 106         policy accept
 107       }
 108     }
 109   '' + lib.optionalString (config.services.upnpc.redirections != []) (''
 110     # Create a rule for accepting any SSDP packets going to a remembered port.
 111     add rule inet filter net2fw udp dport @ssdp_out \
 112       counter accept comment "SSDP answer"
 113     add rule inet filter fw2net \
 114       skuid {${users.upnpc.name},${users.nsupdate.name}} \
 115       tcp dport 1900 \
 116       counter accept \
 117       comment "SSDP automatic opening"
 118     add rule inet filter fw2net \
 119       skuid {${users.upnpc.name},${users.nsupdate.name}} \
 120       ip daddr 239.255.255.250 udp dport 1900 \
 121       set add udp sport @ssdp_out \
 122       comment "SSDP automatic opening"
 123     add rule inet filter fw2net \
 124       skuid {${users.upnpc.name},${users.nsupdate.name}} \
 125       ip daddr 239.255.255.250 udp dport 1900 \
 126       counter accept comment "SSDP"
 127     '' + lib.optionalString config.networking.enableIPv6 ''
 128     add rule inet filter fw2net \
 129       skuid {${users.upnpc.name},${users.nsupdate.name}} \
 130       ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
 131       set add udp sport @ssdp_out comment "SSDP automatic opening"
 132     add rule inet filter fw2net \
 133       skuid {${users.upnpc.name},${users.nsupdate.name}} \
 134       ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
 135       counter accept comment "SSDP"
 136     '')
 137   );
 138 };
 139 }