]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/nftables.nix
nix: update to latest nixpkgs-unstable
[sourcephile-nix.git] / machines / losurdo / networking / nftables.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 in
7 {
8 networking.firewall.enable = false;
9 security.lockKernelModules = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 # echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
12 # nft list ruleset
13 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
14 networking.nftables = {
15 enable = true;
16 ruleset = lib.mkBefore ''
17 table inet filter {
18 chain net2fw {
19 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
20 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
21
22 # Some .nix append rules here with: add rule inet filter net2fw ...
23 }
24 chain fw2net {
25 ip daddr ${machines.losurdo.extraArgs.ipv4} counter accept comment "losurdo"
26 ip daddr ${machines.mermet.extraArgs.ipv4} counter accept comment "mermet"
27 ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
28 tcp dport {80,443} counter accept comment "HTTP"
29 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
30 tcp dport 9418 counter accept comment "Git"
31
32 # Some .nix append rules here with: add rule inet filter fw2net ...
33 }
34 chain intra2fw {
35 # Some .nix append rules here with: add rule inet filter intra2fw ...
36 }
37 chain fw2intra {
38 # Some .nix append rules here with: add rule inet filter fw2intra ...
39 }
40 chain fwd-intra {
41 # Some .nix append rules here with: add rule inet filter fwd-intra ...
42 }
43
44 chain input {
45 type filter hook input priority 0
46 policy drop
47
48 iifname lo accept
49
50 # Ping flood limit
51 ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets log level warn prefix "net2fw: ping flood: " counter drop
52 ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets log level warn prefix "net2fw: ping flood: " counter drop
53
54 # accept traffic already established
55 ct state {established, related} accept
56 ct state invalid drop
57
58 # admin services
59 tcp dport 22 counter accept comment "SSH"
60 udp dport 60000-61000 counter accept comment "Mosh"
61
62 # ICMP
63 ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } counter accept
64
65 ip6 nexthdr icmpv6 icmpv6 type echo-request counter accept
66 ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-solicit counter accept
67 ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-advert counter accept
68 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
69 ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter accept
70 ip6 nexthdr icmpv6 icmpv6 type mld-listener-query counter accept
71 ip6 nexthdr icmpv6 icmpv6 type mld-listener-report counter accept
72 ip6 nexthdr icmpv6 icmpv6 type mld-listener-reduction counter accept
73 ip6 nexthdr icmpv6 icmpv6 type destination-unreachable counter accept
74 ip6 nexthdr icmpv6 icmpv6 type packet-too-big counter accept
75 ip6 nexthdr icmpv6 icmpv6 type time-exceeded counter accept
76 ip6 nexthdr icmpv6 icmpv6 type parameter-problem counter accept
77 ip6 nexthdr icmpv6 icmpv6 type ind-neighbor-solicit counter accept
78 ip6 nexthdr icmpv6 icmpv6 type ind-neighbor-advert counter accept
79 ip6 nexthdr icmpv6 icmpv6 type mld2-listener-report counter accept
80 ip6 nexthdr icmpv6 log level info prefix "net2fw: icmpv6: " counter accept
81 #ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, mld-listener-report, mld-listener-reduction, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } counter accept
82
83 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
84 }
85 chain output {
86 type filter hook output priority 0
87 policy drop
88
89 oifname lo accept
90
91 ct state {related,established} accept
92 ct state invalid drop
93
94 # ICMP
95 ip protocol icmp counter accept
96 ip6 nexthdr icmpv6 counter accept
97
98 tcp dport 22 counter accept comment "SSH"
99
100 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
101 }
102 chain forward {
103 type filter hook forward priority 0
104 policy drop
105 }
106 }
107 '';
108 };
109 }