let
inherit (builtins) hasAttr readFile;
inherit (pkgs.lib) unlinesAttrs;
+ inherit (config) networking;
inherit (config.users) users groups;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
-# echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
-# nft list ruleset
systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
networking.nftables = {
enable = true;
ruleset = lib.mkBefore ''
table inet filter {
+ include "${../../../var/nftables/filter.txt}"
chain net2fw {
+ #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
+ #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
+ #jump non-internet
+
+ #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
+
# Some .nix append rules here with: add rule inet filter net2fw ...
}
chain fw2net {
- tcp dport {80,443} counter accept comment "HTTP"
+ tcp dport { 80, 443 } counter accept comment "HTTP"
udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
+ tcp dport 1965 counter accept comment "Gemini"
tcp dport 9418 counter accept comment "Git"
-
+
# Some .nix append rules here with: add rule inet filter fw2net ...
}
+ chain wifi2fw {
+ # Some .nix append rules here with: add rule inet filter wifi2fw ...
+ }
+ chain fw2wifi {
+ # Some .nix append rules here with: add rule inet filter fw2wifi ...
+ }
+ chain fwd-wifi {
+ # Some .nix append rules here with: add rule inet filter fwd-wifi ...
+ }
chain intra2fw {
# Some .nix append rules here with: add rule inet filter intra2fw ...
}
chain fwd-intra {
# Some .nix append rules here with: add rule inet filter fwd-intra ...
}
+ chain extra2fw {
+ # Some .nix append rules here with: add rule inet filter extra2fw ...
+ }
chain input {
- type filter hook input priority 0
+ type filter hook input priority filter
policy drop
-
+
iifname lo accept
-
- # accept traffic already established
- ct state {established, related} accept
- ct state invalid drop
-
+
+ jump check-tcp
+ ct state { established, related } accept
+ jump accept-connectivity-input
+ ct state invalid counter drop
+
# admin services
tcp dport 22 counter accept comment "SSH"
udp dport 60000-61000 counter accept comment "Mosh"
-
- # ICMP
- ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
- ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
-
- # allow "ping"
- ip6 nexthdr icmpv6 icmpv6 type echo-request accept
- ip protocol icmp icmp type echo-request accept
# Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
}
+ chain forward {
+ type filter hook forward priority filter
+ policy drop
+
+ ct state { related, established } accept
+ jump accept-connectivity-forward
+ }
chain output {
- type filter hook output priority 0
+ type filter hook output priority filter
policy drop
oifname lo accept
- ct state {related,established} accept
- ct state invalid drop
+ ct state { related, established } accept
+ jump accept-connectivity-output
- icmp type echo-request counter accept comment "Ping"
tcp dport 22 counter accept comment "SSH"
# Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
}
- chain forward {
- type filter hook forward priority 0
- policy drop
+ }
+ table inet nat {
+ chain prerouting {
+ type nat hook prerouting priority filter
+ policy accept
+ }
+ chain postrouting {
+ type nat hook postrouting priority srcnat
+ policy accept
}
}
'';