]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/networking/nftables.nix
tor: improve type-checking and hardening
[sourcephile-nix.git] / machines / mermet / networking / nftables.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 in
7 {
8 networking.firewall.enable = false;
9 security.lockKernelModules = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 # echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
12 # nft list ruleset
13 networking.nftables = {
14 enable = true;
15 ruleset = lib.mkBefore ''
16 table inet filter {
17 set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
18 #set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
19 chain ping-flood {
20 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: "
21 #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "ping-flood: "
22 counter drop
23 }
24 chain check-ping {
25 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
26 #ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
27 }
28 chain smurf {
29 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "smurf: "
30 #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "smurf: "
31 counter drop
32 }
33 chain check-broadcast {
34 #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
35 fib saddr type broadcast counter goto smurf
36 ip saddr 224.0.0.0/4 counter goto smurf
37 }
38 chain bogus-tcp {
39 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
40 #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
41 counter drop
42 }
43 chain syn-flood {
44 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: "
45 #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "syn-flood: "
46 counter drop
47 }
48 chain check-tcp {
49 tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
50 tcp flags & (ack|fin) == fin counter goto bogus-tcp
51 tcp flags & (ack|psh) == psh counter goto bogus-tcp
52 tcp flags & (ack|urg) == urg counter goto bogus-tcp
53 tcp flags & (fin|ack) == fin counter goto bogus-tcp
54 tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
55 tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
56 tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
57 tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
58 tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
59 tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
60 tcp flags == (fin|urg|psh) counter goto bogus-tcp
61 tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
62 tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
63
64 ct state new tcp flags != syn counter goto bogus-tcp
65 tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
66 tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
67 }
68 chain spoofing {
69 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "spoofing: "
70 counter drop
71 }
72 chain check-public {
73 ip saddr 0.0.0.0/8 counter goto spoofing
74 ip saddr 10.0.0.0/8 counter goto spoofing
75 ip saddr 127.0.0.0/8 counter goto spoofing
76 ip saddr 169.254.0.0/16 counter goto spoofing
77 ip saddr 172.16.0.0/12 counter goto spoofing
78 ip saddr 192.0.2.0/24 counter goto spoofing
79 ip saddr 192.168.0.0/16 counter goto spoofing
80 ip saddr 224.0.0.0/3 counter goto spoofing
81 ip saddr 240.0.0.0/5 counter goto spoofing
82 }
83 chain net2fw {
84 jump check-public
85 # Some .nix append rules here with: add rule inet filter net2fw ...
86 }
87 chain fw2net {
88 tcp dport { 80, 443 } counter accept comment "HTTP"
89 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
90 tcp dport 9418 counter accept comment "Git"
91
92 # Some .nix append rules here with: add rule inet filter fw2net ...
93 }
94 chain lan2fw {
95 accept
96 # Some .nix append rules here with: add rule inet filter lan2fw ...
97 }
98 chain fw2lan {
99 accept
100 # Some .nix append rules here with: add rule inet filter fw2lan ...
101 }
102 chain intra2fw {
103 # Some .nix append rules here with: add rule inet filter intra2fw ...
104 }
105 chain fw2intra {
106 # Some .nix append rules here with: add rule inet filter fw2intra ...
107 }
108
109 chain input {
110 type filter hook input priority 0
111 policy drop
112
113 iifname lo accept
114
115 jump check-tcp
116 jump check-ping
117 jump check-broadcast
118
119 # accept traffic already established
120 ct state { established, related } accept
121 ct state invalid drop
122
123 # admin services
124 tcp dport 22 counter accept comment "SSH"
125 udp dport 60000-61000 counter accept comment "Mosh"
126
127 # ICMP
128 ip protocol icmp icmp type echo-request counter accept
129 ip protocol icmp icmp type destination-unreachable counter accept
130 ip protocol icmp icmp type router-solicitation counter accept
131 ip protocol icmp icmp type router-advertisement counter accept
132 ip protocol icmp icmp type time-exceeded counter accept
133 ip protocol icmp icmp type parameter-problem counter accept
134 ip protocol icmp log level warn prefix "net2fw: icmpv: " counter accept
135 #ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } counter accept
136
137 #ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
138 #ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit counter accept
139 #ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert counter accept
140 #ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit counter accept
141 #ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert counter accept
142 #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query counter accept
143 #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report counter accept
144 #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-reduction counter accept
145 #ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
146 #ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
147 #ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
148 #ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
149 #ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit counter accept
150 #ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert counter accept
151 #ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report counter accept
152 #ip6 nexthdr ipv6-icmp log level warn prefix "net2fw: icmpv6: " counter accept
153 #ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, mld-listener-report, mld-listener-reduction, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } counter accept
154
155 # ICMP
156 ip protocol icmp icmp type echo-request accept
157 #ip6 nexthdr ipv6-icmp icmpv6 type echo-request accept
158
159 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
160 }
161 chain output {
162 type filter hook output priority 0
163 policy drop
164
165 oifname lo accept
166
167 ct state { established, related } accept
168 ct state invalid drop
169
170 icmp type echo-request counter accept comment "Ping"
171 tcp dport 22 counter accept comment "SSH"
172
173 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
174 }
175 chain forward {
176 type filter hook forward priority 0
177 policy drop
178 drop
179 }
180 }
181 '';
182 };
183 }