surtr: nftables

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-13 18:05:08 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-13 18:05:08 +0100
commit: 1f0101786a8c3eb9767132bf5317672b3cf9d16c (patch)
tree: 6fefd72f50cbea3121870f5bd0f31d917bd4d826
parent: 570df959e20b32884cb8ba62a6509257dbf20ce7 (diff)
download: nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar
nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.gz
nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.bz2
nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.xz
nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.zip
2 files changed, 115 insertions, 0 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 028ae832..61d28f22 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -64,6 +64,12 @@
        ];
      };
+      firewall.enable = false;
+      nftables = {
+        enable = true;
+        rulesetFile = ./ruleset.nft;
+      };
      firewall = {
        enable = true;
        allowPing = true;
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
new file mode 100644
index 00000000..f353d855
--- /dev/null
+++ b/hosts/surtr/ruleset.nft
@@ -0,0 +1,109 @@
+define icmp_protos = { ipv6-icmp, icmp, igmp }
+table arp filter {
+  limit lim_arp_local {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  limit lim_arp_dsl {
+    rate over 1400 kbytes/second burst 1400 kbytes
+  }
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    iifname != dsl limit name lim_arp_local counter drop
+    iifname dsl limit name lim_arp_dsl counter drop
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname != dsl limit name lim_arp_local counter drop
+    oifname dsl limit name lim_arp_dsl counter drop
+    counter
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log prefix "drop invalid forward: " counter drop
+    iifname lo counter accept
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    limit name lim_reject log prefix "drop forward: " counter drop
+    log prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+    counter
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log prefix "drop invalid input: " counter drop
+    
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    ct state {established, related} counter accept
+    tcp dport 22 counter accept
+    meta protocol ip udp dport {51820, 51821} counter accept
+    udp dport 60000-61000 counter accept
+    limit name lim_reject log prefix "drop input: " counter drop
+    log prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter accept
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    counter
+  }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-13 18:05:08 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-13 18:05:08 +0100
commit	1f0101786a8c3eb9767132bf5317672b3cf9d16c (patch)
tree	6fefd72f50cbea3121870f5bd0f31d917bd4d826
parent	570df959e20b32884cb8ba62a6509257dbf20ce7 (diff)
download	nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.gz nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.bz2 nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.xz nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.zip

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 028ae832..61d28f22 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -64,6 +64,12 @@
64	];	64	];
65	};	65	};
66		66
		67	firewall.enable = false;
		68	nftables = {
		69	enable = true;
		70	rulesetFile = ./ruleset.nft;
		71	};
		72
67	firewall = {	73	firewall = {
68	enable = true;	74	enable = true;
69	allowPing = true;	75	allowPing = true;


diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft new file mode 100644 index 00000000..f353d855 --- /dev/null +++ b/hosts/surtr/ruleset.nft
@@ -0,0 +1,109 @@
		1	define icmp_protos = { ipv6-icmp, icmp, igmp }
		2
		3	table arp filter {
		4	limit lim_arp_local {
		5	rate over 50 mbytes/second burst 50 mbytes
		6	}
		7	limit lim_arp_dsl {
		8	rate over 1400 kbytes/second burst 1400 kbytes
		9	}
		10
		11	chain input {
		12	type filter hook input priority filter
		13	policy accept
		14
		15	iifname != dsl limit name lim_arp_local counter drop
		16	iifname dsl limit name lim_arp_dsl counter drop
		17
		18	counter
		19	}
		20
		21	chain output {
		22	type filter hook output priority filter
		23	policy accept
		24
		25	oifname != dsl limit name lim_arp_local counter drop
		26	oifname dsl limit name lim_arp_dsl counter drop
		27
		28	counter
		29	}
		30	}
		31
		32	table inet filter {
		33	limit lim_reject {
		34	rate over 1000/second burst 1000 packets
		35	}
		36
		37	limit lim_icmp {
		38	rate over 50 mbytes/second burst 50 mbytes
		39	}
		40
		41
		42	chain forward {
		43	type filter hook forward priority filter
		44	policy drop
		45
		46
		47	ct state invalid log prefix "drop invalid forward: " counter drop
		48
		49
		50	iifname lo counter accept
		51
		52	meta l4proto $icmp_protos limit name lim_icmp counter drop
		53	meta l4proto $icmp_protos counter accept
		54
		55
		56	limit name lim_reject log prefix "drop forward: " counter drop
		57	log prefix "reject forward: " counter
		58	meta l4proto tcp ct state new counter reject with tcp reset
		59	ct state new counter reject
		60
		61
		62	counter
		63	}
		64
		65	chain input {
		66	type filter hook input priority filter
		67	policy drop
		68
		69
		70	ct state invalid log prefix "drop invalid input: " counter drop
		71
		72
		73	iifname lo counter accept
		74	iif != lo ip daddr 127.0.0.1/8 counter reject
		75	iif != lo ip6 daddr ::1/128 counter reject
		76
		77	meta l4proto $icmp_protos limit name lim_icmp counter drop
		78	meta l4proto $icmp_protos counter accept
		79
		80	ct state {established, related} counter accept
		81
		82	tcp dport 22 counter accept
		83	meta protocol ip udp dport {51820, 51821} counter accept
		84	udp dport 60000-61000 counter accept
		85
		86
		87	limit name lim_reject log prefix "drop input: " counter drop
		88	log prefix "reject input: " counter
		89	meta l4proto tcp ct state new counter reject with tcp reset
		90	ct state new counter reject
		91
		92
		93	counter
		94	}
		95
		96	chain output {
		97	type filter hook output priority filter
		98	policy accept
		99
		100
		101	oifname lo counter accept
		102
		103	meta l4proto $icmp_protos limit name lim_icmp counter drop
		104	meta l4proto $icmp_protos counter accept
		105
		106
		107	counter
		108	}
		109	} \ No newline at end of file