diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-08-08 21:48:11 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-08-08 21:48:11 +0200 |
commit | 6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a (patch) | |
tree | 4497d93ad2d46c04e311bf87755fbf6c42b56c7f /hosts/sif | |
parent | df4f7efea1570050ba3f1828e41419304606e212 (diff) | |
download | nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar.gz nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar.bz2 nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.tar.xz nixos-6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a.zip |
...
Diffstat (limited to 'hosts/sif')
-rw-r--r-- | hosts/sif/default.nix | 4 | ||||
-rw-r--r-- | hosts/sif/ruleset.nft | 10 |
2 files changed, 12 insertions, 2 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index c55cc7a8..bde5cdf8 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -288,8 +288,8 @@ in { | |||
288 | bogus-priv = true; | 288 | bogus-priv = true; |
289 | no-hosts = true; | 289 | no-hosts = true; |
290 | listen-address = [ "192.168.122.1" "fd45:febc:b028::" ]; | 290 | listen-address = [ "192.168.122.1" "fd45:febc:b028::" ]; |
291 | interface = "virbr0"; | 291 | # interface = "virbr0"; |
292 | except-interface = "lo"; | 292 | # except-interface = "lo"; |
293 | bind-interfaces = true; | 293 | bind-interfaces = true; |
294 | domain = "libvirt,192.168.122.0/24"; | 294 | domain = "libvirt,192.168.122.0/24"; |
295 | dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ]; | 295 | dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ]; |
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index e2ac45c6..33c17253 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft | |||
@@ -90,6 +90,7 @@ table inet filter { | |||
90 | counter libvirt-dns {} | 90 | counter libvirt-dns {} |
91 | 91 | ||
92 | 92 | ||
93 | chain forward_tmp {} | ||
93 | chain forward { | 94 | chain forward { |
94 | type filter hook forward priority filter | 95 | type filter hook forward priority filter |
95 | policy drop | 96 | policy drop |
@@ -100,6 +101,8 @@ table inet filter { | |||
100 | 101 | ||
101 | iifname lo counter name fw-lo accept | 102 | iifname lo counter name fw-lo accept |
102 | 103 | ||
104 | jump forward_tmp | ||
105 | |||
103 | iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept | 106 | iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept |
104 | oifname virbr0 ct state {established, related} counter name fw-libvirt accept | 107 | oifname virbr0 ct state {established, related} counter name fw-libvirt accept |
105 | 108 | ||
@@ -110,6 +113,7 @@ table inet filter { | |||
110 | ct state new counter name reject-icmp-fw reject | 113 | ct state new counter name reject-icmp-fw reject |
111 | } | 114 | } |
112 | 115 | ||
116 | chain input_tmp {} | ||
113 | chain input { | 117 | chain input { |
114 | type filter hook input priority filter | 118 | type filter hook input priority filter |
115 | policy drop | 119 | policy drop |
@@ -125,6 +129,8 @@ table inet filter { | |||
125 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop | 129 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop |
126 | meta l4proto $icmp_protos counter name icmp-rx accept | 130 | meta l4proto $icmp_protos counter name icmp-rx accept |
127 | 131 | ||
132 | jump input_tmp | ||
133 | |||
128 | tcp dport 22 counter name ssh-rx accept | 134 | tcp dport 22 counter name ssh-rx accept |
129 | udp dport 60000-61000 counter name mosh-rx accept | 135 | udp dport 60000-61000 counter name mosh-rx accept |
130 | 136 | ||
@@ -180,11 +186,13 @@ table inet filter { | |||
180 | table ip nat { | 186 | table ip nat { |
181 | counter libvirt-nat {} | 187 | counter libvirt-nat {} |
182 | 188 | ||
189 | chain postrouting_tmp {} | ||
183 | chain postrouting { | 190 | chain postrouting { |
184 | type nat hook postrouting priority srcnat | 191 | type nat hook postrouting priority srcnat |
185 | policy accept | 192 | policy accept |
186 | 193 | ||
187 | iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade | 194 | iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade |
195 | jump postrouting_tmp | ||
188 | } | 196 | } |
189 | } | 197 | } |
190 | 198 | ||
@@ -202,10 +210,12 @@ table ip6 nat { | |||
202 | table ip mss_clamp { | 210 | table ip mss_clamp { |
203 | counter libvirt-mss-clamp {} | 211 | counter libvirt-mss-clamp {} |
204 | 212 | ||
213 | chain postrouting_tmp {} | ||
205 | chain postrouting { | 214 | chain postrouting { |
206 | type filter hook postrouting priority mangle | 215 | type filter hook postrouting priority mangle |
207 | policy accept | 216 | policy accept |
208 | 217 | ||
209 | iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu | 218 | iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu |
219 | jump postrouting_tmp | ||
210 | } | 220 | } |
211 | } | 221 | } |