vidhar: nftables...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-08 17:59:52 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-08 17:59:52 +0100
commit: 8124337c5182b02e3057ebde1213050d4a714a0f (patch)
tree: 75ca0a216c5bacefdff73640f1ec86e6a3f85dd9
parent: fb7cd0220c908408910d26b9823acef9fe2b39e2 (diff)
download: nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.gz
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.bz2
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.xz
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.zip
3 files changed, 75 insertions, 47 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 622c2c54..e05b9416 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -78,54 +78,10 @@
        ];
      };
-      firewall = {
+      firewall.enable = false;
+      nftables = {
        enable = true;
-        package = pkgs.iptables-nftables-compat;
+        rulesetFile = ./ruleset.nft;
-        allowPing = true;
-        allowedTCPPorts = [
-          22 # ssh
-        ];
-        allowedUDPPorts = [
-          51820 # wireguard
-        ];
-        allowedUDPPortRanges = [
-          { from = 60000; to = 61000; } # mosh
-        ];
-        extraCommands = ''
-          ip46tables -D FORWARD -j nixos-fw-forward 2>/dev/null || true
-          ip46tables -F nixos-fw-forward 2>/dev/null || true
-          ip46tables -X nixos-fw-forward 2>/dev/null || true
-          ip46tables -N nixos-fw-forward
-          ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT
-          ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-          ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse
-          ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse
-          ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT
-          ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse
-          ip46tables -A FORWARD -j nixos-fw-forward
-          ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t nat -F nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t nat -X nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t nat -N nixos-fw-postrouting
-          iptables -t nat -A nixos-fw-postrouting -o dsl -j MASQUERADE
-          ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting
-          ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t mangle -F nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t mangle -X nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t mangle -N nixos-fw-postrouting
-          ip46tables -t mangle -A nixos-fw-postrouting -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-          ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting
-        '';
      };
    };
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
new file mode 100644
index 00000000..ae91af00
--- /dev/null
+++ b/hosts/vidhar/ruleset.nft
@@ -0,0 +1,71 @@
+table inet filter {
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    iifname eno1 accept
+    ct state {established, related} accept
+    meta l4proto ipv6-icmp accept
+    meta l4proto icmp accept
+    meta l4proto igmp accept
+    log prefix "drop forward:"
+    counter
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    iifname lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter drop
+    iif != lo ip6 daddr ::1/128 counter drop
+    ct state {established, related} accept
+    tcp dport 22 accept
+    udp dport 51820 accept
+    udp dport 60000-61000 accept
+    meta l4proto ipv6-icmp accept
+    meta l4proto icmp accept
+    meta l4proto igmp accept
+    log prefix "drop input:"
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    counter
+  }
+}
+table ip nat {
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    oifname dsl counter masquerade
+    counter
+  }
+}
+table inet mangle {
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+    oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+    counter
+  }
+}
+\ No newline at end of file
diff --git a/shell.nix b/shell.nix
index ca0733a6..aef46c67 100644
--- a/shell.nix
+++ b/shell.nix
@@ -15,5 +15,6 @@ in pkgs.mkShell {
    sops
    wireguard
    gup
+    nftables
  ];
 }
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-08 17:59:52 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-08 17:59:52 +0100
commit	8124337c5182b02e3057ebde1213050d4a714a0f (patch)
tree	75ca0a216c5bacefdff73640f1ec86e6a3f85dd9
parent	fb7cd0220c908408910d26b9823acef9fe2b39e2 (diff)
download	nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.gz nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.bz2 nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.xz nixos-8124337c5182b02e3057ebde1213050d4a714a0f.zip

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 622c2c54..e05b9416 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -78,54 +78,10 @@
78	];	78	];
79	};	79	};
80		80
81	firewall = {	81	firewall.enable = false;
		82	nftables = {
82	enable = true;	83	enable = true;
83	package = pkgs.iptables-nftables-compat;	84	rulesetFile = ./ruleset.nft;
84	allowPing = true;
85	allowedTCPPorts = [
86	22 # ssh
87	];
88	allowedUDPPorts = [
89	51820 # wireguard
90	];
91	allowedUDPPortRanges = [
92	{ from = 60000; to = 61000; } # mosh
93	];
94	extraCommands = ''
95	ip46tables -D FORWARD -j nixos-fw-forward 2>/dev/null \|\| true
96	ip46tables -F nixos-fw-forward 2>/dev/null \|\| true
97	ip46tables -X nixos-fw-forward 2>/dev/null \|\| true
98	ip46tables -N nixos-fw-forward
99
100	ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT
101	ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
102	ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse
103	ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse
104	ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT
105
106	ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse
107	ip46tables -A FORWARD -j nixos-fw-forward
108
109
110	ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null \|\| true
111	ip46tables -t nat -F nixos-fw-postrouting 2>/dev/null \|\| true
112	ip46tables -t nat -X nixos-fw-postrouting 2>/dev/null \|\| true
113	ip46tables -t nat -N nixos-fw-postrouting
114
115	iptables -t nat -A nixos-fw-postrouting -o dsl -j MASQUERADE
116
117	ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting
118
119
120	ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null \|\| true
121	ip46tables -t mangle -F nixos-fw-postrouting 2>/dev/null \|\| true
122	ip46tables -t mangle -X nixos-fw-postrouting 2>/dev/null \|\| true
123
124	ip46tables -t mangle -N nixos-fw-postrouting
125	ip46tables -t mangle -A nixos-fw-postrouting -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
126
127	ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting
128	'';
129	};	85	};
130	};	86	};
131		87


diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft new file mode 100644 index 00000000..ae91af00 --- /dev/null +++ b/hosts/vidhar/ruleset.nft
@@ -0,0 +1,71 @@
		1	table inet filter {
		2	chain forward {
		3	type filter hook forward priority filter
		4	policy drop
		5
		6
		7	iifname eno1 accept
		8
		9	ct state {established, related} accept
		10
		11	meta l4proto ipv6-icmp accept
		12	meta l4proto icmp accept
		13	meta l4proto igmp accept
		14
		15
		16	log prefix "drop forward:"
		17	counter
		18	}
		19
		20	chain input {
		21	type filter hook input priority filter
		22	policy drop
		23
		24
		25	iifname lo accept
		26	iif != lo ip daddr 127.0.0.1/8 counter drop
		27	iif != lo ip6 daddr ::1/128 counter drop
		28
		29	ct state {established, related} accept
		30
		31	tcp dport 22 accept
		32	udp dport 51820 accept
		33	udp dport 60000-61000 accept
		34
		35	meta l4proto ipv6-icmp accept
		36	meta l4proto icmp accept
		37	meta l4proto igmp accept
		38
		39	log prefix "drop input:"
		40	counter
		41	}
		42
		43	chain output {
		44	type filter hook output priority filter
		45	policy accept
		46
		47	counter
		48	}
		49	}
		50
		51	table ip nat {
		52	chain postrouting {
		53	type nat hook postrouting priority srcnat
		54	policy accept
		55
		56	oifname dsl counter masquerade
		57
		58	counter
		59	}
		60	}
		61
		62	table inet mangle {
		63	chain postrouting {
		64	type filter hook postrouting priority mangle
		65	policy accept
		66
		67	oifname dsl meta l4proto tcp tcp flags & (syn\|rst) == syn counter tcp option maxseg size set rt mtu
		68
		69	counter
		70	}
		71	} \ No newline at end of file


diff --git a/shell.nix b/shell.nix index ca0733a6..aef46c67 100644 --- a/shell.nix +++ b/shell.nix
@@ -15,5 +15,6 @@ in pkgs.mkShell {
15	sops	15	sops
16	wireguard	16	wireguard
17	gup	17	gup
		18	nftables
18	];	19	];
19	}	20	}