]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/networking/nftables.nix
nix: use nixpkgs/patches/wip.diff instead of nixpkgs/overlays.nix and nixos/modules.nix
[sourcephile-nix.git] / machines / mermet / networking / nftables.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 in
7 {
8 networking.firewall.enable = false;
9 security.lockKernelModules = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 # echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
12 # nft list ruleset
13 networking.nftables = {
14 enable = true;
15 ruleset = lib.mkBefore ''
16 table inet filter {
17 chain net2fw {
18 # Some .nix append rules here with: add rule inet filter net2fw ...
19 }
20 chain fw2net {
21 tcp dport {80,443} counter accept comment "HTTP"
22 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
23 tcp dport 9418 counter accept comment "Git"
24
25 # Some .nix append rules here with: add rule inet filter fw2net ...
26 }
27 chain lan2fw {
28 accept
29 # Some .nix append rules here with: add rule inet filter lan2fw ...
30 }
31 chain fw2lan {
32 accept
33 # Some .nix append rules here with: add rule inet filter fw2lan ...
34 }
35
36 chain input {
37 type filter hook input priority 0
38 policy drop
39
40 iifname lo accept
41
42 # accept traffic already established
43 ct state {established, related} accept
44 ct state invalid drop
45
46 # admin services
47 tcp dport 22 counter accept comment "SSH"
48 udp dport 60000-61000 counter accept comment "Mosh"
49
50 # ICMP
51 #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
52 ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
53
54 # allow "ping"
55 #ip6 nexthdr icmpv6 icmpv6 type echo-request accept
56 ip protocol icmp icmp type echo-request accept
57
58 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
59 }
60 chain output {
61 type filter hook output priority 0
62 policy drop
63
64 oifname lo accept
65
66 ct state {related,established} accept
67 ct state invalid drop
68
69 icmp type echo-request counter accept comment "Ping"
70 tcp dport 22 counter accept comment "SSH"
71
72 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
73 }
74 chain forward {
75 type filter hook forward priority 0
76 policy drop
77 drop
78 }
79 }
80 '';
81 };
82 }