nftables: harden input checks on losurdo

[sourcephile-nix.git] / machines / losurdo / networking / nftables.nix

{ pkgs, lib, config, machines, ... }:
let
  inherit (builtins) hasAttr readFile;
  inherit (pkgs.lib) unlinesAttrs;
  inherit (config.users) users groups;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
networking.nftables = {
  enable = true;
  ruleset = lib.mkBefore ''
    table inet filter {
      set lograte {
        type ipv4_addr
        size 65535
        flags dynamic
      }
      chain ping-flood {
        add @lograte { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: "
        counter drop
      }
      chain check-ping {
        ip protocol icmp   icmp   type echo-request limit rate over 10/second burst 20 packets goto ping-flood
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
      }
      chain smurf {
        add @lograte { ip saddr limit rate 1/minute } log level warn prefix "smurf: "
        counter drop
      }
      chain check-broadcast {
        ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast"
        fib saddr type broadcast counter goto smurf
        ip saddr 224.0.0.0/4     counter goto smurf
      }
      chain bogus-tcp {
        add @lograte { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
        counter drop
      }
      chain syn-flood {
        add @lograte { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: "
        counter drop
      }
      chain check-tcp {
        tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
        tcp flags & (ack|fin) == fin counter goto bogus-tcp
        tcp flags & (ack|psh) == psh counter goto bogus-tcp
        tcp flags & (ack|urg) == urg counter goto bogus-tcp
        tcp flags & (fin|ack) == fin counter goto bogus-tcp
        tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
        tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
        tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
        tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
        tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
        tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
        tcp flags == (fin|urg|psh) counter goto bogus-tcp
        tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
        tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp

        ct state new tcp flags != syn counter goto bogus-tcp
        tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
        tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
      }
      chain check-public {
        #ip saddr 224.0.0.0/3 counter drop
        #ip saddr 169.254.0.0/16 counter drop
        #ip saddr 172.16.0.0/12 counter drop
        #ip saddr 192.0.2.0/24 counter drop
        #ip saddr 192.168.0.0/16 counter drop
        #ip saddr 10.0.0.0/8 counter drop
        #ip saddr 0.0.0.0/8 counter drop
        #ip saddr 240.0.0.0/5 counter drop
        #ip saddr 127.0.0.0/8 counter drop
      }
      chain net2fw {
        #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
        #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
        #jump non-internet

        #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
        
        # Some .nix append rules here with: add rule inet filter net2fw ...
      }
      chain fw2net {
        ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
        tcp dport { 80, 443 } counter accept comment "HTTP"
        udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
        tcp dport 9418 counter accept comment "Git"
        
        # Some .nix append rules here with: add rule inet filter fw2net ...
      }
      chain intra2fw {
        # Some .nix append rules here with: add rule inet filter intra2fw ...
      }
      chain fw2intra {
        # Some .nix append rules here with: add rule inet filter fw2intra ...
      }
      chain fwd-intra {
        # Some .nix append rules here with: add rule inet filter fwd-intra ...
      }

      chain input {
        type filter hook input priority 0
        policy drop
    
        iifname lo accept
        
        jump check-tcp
        jump check-ping
        jump check-broadcast
    
        ct state { established, related } accept
        ct state invalid counter drop
    
        # admin services
        tcp dport 22 counter accept comment "SSH"
        udp dport 60000-61000 counter accept comment "Mosh"
    
        # ICMP
        ip protocol icmp icmp type echo-request counter accept
        ip protocol icmp icmp type destination-unreachable counter accept
        ip protocol icmp icmp type router-solicitation counter accept
        ip protocol icmp icmp type router-advertisement counter accept
        ip protocol icmp icmp type time-exceeded counter accept
        ip protocol icmp icmp type parameter-problem counter accept
        #ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } counter accept
        ip protocol icmp log level warn prefix "net2fw: icmpv: " counter accept

        ip6 nexthdr icmpv6 icmpv6 type echo-request counter accept
        ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-solicit counter accept
        ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-advert counter accept
        ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
        ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter accept
        ip6 nexthdr icmpv6 icmpv6 type mld-listener-query counter accept
        ip6 nexthdr icmpv6 icmpv6 type mld-listener-report counter accept
        ip6 nexthdr icmpv6 icmpv6 type mld-listener-reduction counter accept
        ip6 nexthdr icmpv6 icmpv6 type destination-unreachable counter accept
        ip6 nexthdr icmpv6 icmpv6 type packet-too-big counter accept
        ip6 nexthdr icmpv6 icmpv6 type time-exceeded counter accept
        ip6 nexthdr icmpv6 icmpv6 type parameter-problem counter accept
        ip6 nexthdr icmpv6 icmpv6 type ind-neighbor-solicit counter accept
        ip6 nexthdr icmpv6 icmpv6 type ind-neighbor-advert counter accept
        ip6 nexthdr icmpv6 icmpv6 type mld2-listener-report counter accept
        ip6 nexthdr icmpv6 log level warn prefix "net2fw: icmpv6: " counter accept
        #ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, mld-listener-report, mld-listener-reduction, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } counter accept

        # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
      }
      chain output {
        type filter hook output priority 0
        policy drop

        oifname lo accept

        ct state { related, established } accept
        ct state invalid counter drop

        # ICMP
        ip protocol icmp counter accept
        ip6 nexthdr icmpv6 counter accept

        tcp dport 22 counter accept comment "SSH"

        # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
      }
      chain forward {
        type filter hook forward priority 0
        policy drop
      }
    }
  '';
};
}