hosts/mermet/networking/nftables.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let
   3   inherit (config.users) users;
   4 in
   5 {
   6 networking.firewall.enable = false;
   7 security.lockKernelModules = false;
   8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
   9 # echo -e "$(nix eval hosts.losurdo.config.networking.nftables.ruleset)"
  10 # nft list ruleset
  11 networking.nftables = {
  12   enable = true;
  13   ruleset = lib.mkBefore ''
  14     table inet filter {
  15       include "${../../../networking/nftables/filter.txt}"
  16       chain net2fw {
  17         jump check-public
  18         # Some .nix append rules here with: add rule inet filter net2fw ...
  19       }
  20       chain fw2net {
  21         tcp dport { 80, 443 } counter accept comment "HTTP"
  22         udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  23         tcp dport 9418 counter accept comment "Git"
  24
  25         # Some .nix append rules here with: add rule inet filter fw2net ...
  26       }
  27       chain lan2fw {
  28         accept
  29         # Some .nix append rules here with: add rule inet filter lan2fw ...
  30       }
  31       chain fw2lan {
  32         accept
  33         # Some .nix append rules here with: add rule inet filter fw2lan ...
  34       }
  35       chain intra2fw {
  36         # Some .nix append rules here with: add rule inet filter intra2fw ...
  37       }
  38       chain fw2intra {
  39         # Some .nix append rules here with: add rule inet filter fw2intra ...
  40       }
  41
  42       chain input {
  43         type filter hook input priority 0
  44         policy drop
  45
  46         iifname lo accept
  47
  48         jump check-tcp
  49         jump check-ping
  50         jump check-broadcast
  51
  52         # accept traffic already established
  53         ct state { established, related } accept
  54         jump accept-connectivity-input
  55         ct state invalid drop
  56
  57         # admin services
  58         tcp dport 22 counter accept comment "SSH"
  59         udp dport 60000-61000 counter accept comment "Mosh"
  60
  61         # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
  62       }
  63       chain output {
  64         type filter hook output priority 0
  65         policy drop
  66
  67         oifname lo accept
  68
  69         tcp flags syn tcp option maxseg size set rt mtu
  70
  71         ct state { established, related } accept
  72         jump accept-connectivity-output
  73
  74         tcp dport 22 counter accept comment "SSH"
  75
  76         # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
  77       }
  78       chain forward {
  79         type filter hook forward priority 0
  80         policy drop
  81       }
  82     }
  83     table inet nat {
  84       chain prerouting {
  85         type nat hook prerouting priority filter
  86         policy accept
  87       }
  88       chain postrouting {
  89         type nat hook postrouting priority srcnat
  90         policy accept
  91       }
  92     }
  93   '';
  94 };
  95 }