{ pkgs, lib, config, machines, ... }: let inherit (builtins) hasAttr readFile; inherit (pkgs.lib) unlinesAttrs; inherit (config.users) users groups; in { networking.firewall.enable = false; security.lockKernelModules = false; systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ]; # echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)" # nft list ruleset networking.nftables = { enable = true; ruleset = lib.mkBefore '' table inet filter { set lograte4 { type ipv4_addr; size 65535; flags dynamic; } #set lograte6 { type ipv6_addr; size 65535; flags dynamic; } chain ping-flood { add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: " #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "ping-flood: " counter drop } chain check-ping { ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood #ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood } chain smurf { add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "smurf: " #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "smurf: " counter drop } chain check-broadcast { #ip saddr 0.0.0.0/32 counter accept comment "DHCP broadcast" fib saddr type broadcast counter goto smurf ip saddr 224.0.0.0/4 counter goto smurf } chain bogus-tcp { add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: " #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "bogus-tcp: " counter drop } chain syn-flood { add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: " #add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "syn-flood: " counter drop } chain check-tcp { tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp tcp flags & (ack|fin) == fin counter goto bogus-tcp tcp flags & (ack|psh) == psh counter goto bogus-tcp tcp flags & (ack|urg) == urg counter goto bogus-tcp tcp flags & (fin|ack) == fin counter goto bogus-tcp tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan" tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan" tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan" tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan" tcp flags == (fin|urg|psh) counter goto bogus-tcp tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID" tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp ct state new tcp flags != syn counter goto bogus-tcp tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood } chain spoofing { add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "spoofing: " counter drop } chain check-public { ip saddr 0.0.0.0/8 counter goto spoofing ip saddr 10.0.0.0/8 counter goto spoofing ip saddr 127.0.0.0/8 counter goto spoofing ip saddr 169.254.0.0/16 counter goto spoofing ip saddr 172.16.0.0/12 counter goto spoofing ip saddr 192.0.2.0/24 counter goto spoofing ip saddr 192.168.0.0/16 counter goto spoofing ip saddr 224.0.0.0/3 counter goto spoofing ip saddr 240.0.0.0/5 counter goto spoofing } chain net2fw { jump check-public # Some .nix append rules here with: add rule inet filter net2fw ... } chain fw2net { tcp dport { 80, 443 } counter accept comment "HTTP" udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP" tcp dport 9418 counter accept comment "Git" # Some .nix append rules here with: add rule inet filter fw2net ... } chain lan2fw { accept # Some .nix append rules here with: add rule inet filter lan2fw ... } chain fw2lan { accept # Some .nix append rules here with: add rule inet filter fw2lan ... } chain intra2fw { # Some .nix append rules here with: add rule inet filter intra2fw ... } chain fw2intra { # Some .nix append rules here with: add rule inet filter fw2intra ... } chain input { type filter hook input priority 0 policy drop iifname lo accept jump check-tcp jump check-ping jump check-broadcast # accept traffic already established ct state { established, related } accept ct state invalid drop # admin services tcp dport 22 counter accept comment "SSH" udp dport 60000-61000 counter accept comment "Mosh" # ICMP ip protocol icmp icmp type echo-request counter accept ip protocol icmp icmp type destination-unreachable counter accept ip protocol icmp icmp type router-solicitation counter accept ip protocol icmp icmp type router-advertisement counter accept ip protocol icmp icmp type time-exceeded counter accept ip protocol icmp icmp type parameter-problem counter accept ip protocol icmp log level warn prefix "net2fw: icmpv: " counter accept #ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } counter accept #ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept #ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit counter accept #ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert counter accept #ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit counter accept #ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert counter accept #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query counter accept #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report counter accept #ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-reduction counter accept #ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept #ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept #ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept #ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept #ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit counter accept #ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert counter accept #ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report counter accept #ip6 nexthdr ipv6-icmp log level warn prefix "net2fw: icmpv6: " counter accept #ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, mld-listener-report, mld-listener-reduction, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } counter accept # ICMP ip protocol icmp icmp type echo-request accept #ip6 nexthdr ipv6-icmp icmpv6 type echo-request accept # Some .nix append gotos here with: add rule inet filter input iffname ... goto ... } chain output { type filter hook output priority 0 policy drop oifname lo accept ct state { established, related } accept ct state invalid drop icmp type echo-request counter accept comment "Ping" tcp dport 22 counter accept comment "SSH" # Some .nix append gotos here with: add rule inet filter output oifname ... goto ... } chain forward { type filter hook forward priority 0 policy drop drop } } ''; }; }