summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-08 17:59:52 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-08 17:59:52 +0100
commit8124337c5182b02e3057ebde1213050d4a714a0f (patch)
tree75ca0a216c5bacefdff73640f1ec86e6a3f85dd9
parentfb7cd0220c908408910d26b9823acef9fe2b39e2 (diff)
downloadnixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.gz
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.bz2
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.xz
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.zip
vidhar: nftables...
-rw-r--r--hosts/vidhar/default.nix50
-rw-r--r--hosts/vidhar/ruleset.nft71
-rw-r--r--shell.nix1
3 files changed, 75 insertions, 47 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 622c2c54..e05b9416 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -78,54 +78,10 @@
78 ]; 78 ];
79 }; 79 };
80 80
81 firewall = { 81 firewall.enable = false;
82 nftables = {
82 enable = true; 83 enable = true;
83 package = pkgs.iptables-nftables-compat; 84 rulesetFile = ./ruleset.nft;
84 allowPing = true;
85 allowedTCPPorts = [
86 22 # ssh
87 ];
88 allowedUDPPorts = [
89 51820 # wireguard
90 ];
91 allowedUDPPortRanges = [
92 { from = 60000; to = 61000; } # mosh
93 ];
94 extraCommands = ''
95 ip46tables -D FORWARD -j nixos-fw-forward 2>/dev/null || true
96 ip46tables -F nixos-fw-forward 2>/dev/null || true
97 ip46tables -X nixos-fw-forward 2>/dev/null || true
98 ip46tables -N nixos-fw-forward
99
100 ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT
101 ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
102 ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse
103 ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse
104 ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT
105
106 ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse
107 ip46tables -A FORWARD -j nixos-fw-forward
108
109
110 ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true
111 ip46tables -t nat -F nixos-fw-postrouting 2>/dev/null || true
112 ip46tables -t nat -X nixos-fw-postrouting 2>/dev/null || true
113 ip46tables -t nat -N nixos-fw-postrouting
114
115 iptables -t nat -A nixos-fw-postrouting -o dsl -j MASQUERADE
116
117 ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting
118
119
120 ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true
121 ip46tables -t mangle -F nixos-fw-postrouting 2>/dev/null || true
122 ip46tables -t mangle -X nixos-fw-postrouting 2>/dev/null || true
123
124 ip46tables -t mangle -N nixos-fw-postrouting
125 ip46tables -t mangle -A nixos-fw-postrouting -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
126
127 ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting
128 '';
129 }; 85 };
130 }; 86 };
131 87
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
new file mode 100644
index 00000000..ae91af00
--- /dev/null
+++ b/hosts/vidhar/ruleset.nft
@@ -0,0 +1,71 @@
1table inet filter {
2 chain forward {
3 type filter hook forward priority filter
4 policy drop
5
6
7 iifname eno1 accept
8
9 ct state {established, related} accept
10
11 meta l4proto ipv6-icmp accept
12 meta l4proto icmp accept
13 meta l4proto igmp accept
14
15
16 log prefix "drop forward:"
17 counter
18 }
19
20 chain input {
21 type filter hook input priority filter
22 policy drop
23
24
25 iifname lo accept
26 iif != lo ip daddr 127.0.0.1/8 counter drop
27 iif != lo ip6 daddr ::1/128 counter drop
28
29 ct state {established, related} accept
30
31 tcp dport 22 accept
32 udp dport 51820 accept
33 udp dport 60000-61000 accept
34
35 meta l4proto ipv6-icmp accept
36 meta l4proto icmp accept
37 meta l4proto igmp accept
38
39 log prefix "drop input:"
40 counter
41 }
42
43 chain output {
44 type filter hook output priority filter
45 policy accept
46
47 counter
48 }
49}
50
51table ip nat {
52 chain postrouting {
53 type nat hook postrouting priority srcnat
54 policy accept
55
56 oifname dsl counter masquerade
57
58 counter
59 }
60}
61
62table inet mangle {
63 chain postrouting {
64 type filter hook postrouting priority mangle
65 policy accept
66
67 oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
68
69 counter
70 }
71} \ No newline at end of file
diff --git a/shell.nix b/shell.nix
index ca0733a6..aef46c67 100644
--- a/shell.nix
+++ b/shell.nix
@@ -15,5 +15,6 @@ in pkgs.mkShell {
15 sops 15 sops
16 wireguard 16 wireguard
17 gup 17 gup
18 nftables
18 ]; 19 ];
19} 20}