diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 18:05:08 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-13 18:05:08 +0100 |
commit | 1f0101786a8c3eb9767132bf5317672b3cf9d16c (patch) | |
tree | 6fefd72f50cbea3121870f5bd0f31d917bd4d826 /hosts | |
parent | 570df959e20b32884cb8ba62a6509257dbf20ce7 (diff) | |
download | nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.gz nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.bz2 nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.tar.xz nixos-1f0101786a8c3eb9767132bf5317672b3cf9d16c.zip |
surtr: nftables
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/surtr/default.nix | 6 | ||||
-rw-r--r-- | hosts/surtr/ruleset.nft | 109 |
2 files changed, 115 insertions, 0 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 028ae832..61d28f22 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
@@ -64,6 +64,12 @@ | |||
64 | ]; | 64 | ]; |
65 | }; | 65 | }; |
66 | 66 | ||
67 | firewall.enable = false; | ||
68 | nftables = { | ||
69 | enable = true; | ||
70 | rulesetFile = ./ruleset.nft; | ||
71 | }; | ||
72 | |||
67 | firewall = { | 73 | firewall = { |
68 | enable = true; | 74 | enable = true; |
69 | allowPing = true; | 75 | allowPing = true; |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft new file mode 100644 index 00000000..f353d855 --- /dev/null +++ b/hosts/surtr/ruleset.nft | |||
@@ -0,0 +1,109 @@ | |||
1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | ||
2 | |||
3 | table arp filter { | ||
4 | limit lim_arp_local { | ||
5 | rate over 50 mbytes/second burst 50 mbytes | ||
6 | } | ||
7 | limit lim_arp_dsl { | ||
8 | rate over 1400 kbytes/second burst 1400 kbytes | ||
9 | } | ||
10 | |||
11 | chain input { | ||
12 | type filter hook input priority filter | ||
13 | policy accept | ||
14 | |||
15 | iifname != dsl limit name lim_arp_local counter drop | ||
16 | iifname dsl limit name lim_arp_dsl counter drop | ||
17 | |||
18 | counter | ||
19 | } | ||
20 | |||
21 | chain output { | ||
22 | type filter hook output priority filter | ||
23 | policy accept | ||
24 | |||
25 | oifname != dsl limit name lim_arp_local counter drop | ||
26 | oifname dsl limit name lim_arp_dsl counter drop | ||
27 | |||
28 | counter | ||
29 | } | ||
30 | } | ||
31 | |||
32 | table inet filter { | ||
33 | limit lim_reject { | ||
34 | rate over 1000/second burst 1000 packets | ||
35 | } | ||
36 | |||
37 | limit lim_icmp { | ||
38 | rate over 50 mbytes/second burst 50 mbytes | ||
39 | } | ||
40 | |||
41 | |||
42 | chain forward { | ||
43 | type filter hook forward priority filter | ||
44 | policy drop | ||
45 | |||
46 | |||
47 | ct state invalid log prefix "drop invalid forward: " counter drop | ||
48 | |||
49 | |||
50 | iifname lo counter accept | ||
51 | |||
52 | meta l4proto $icmp_protos limit name lim_icmp counter drop | ||
53 | meta l4proto $icmp_protos counter accept | ||
54 | |||
55 | |||
56 | limit name lim_reject log prefix "drop forward: " counter drop | ||
57 | log prefix "reject forward: " counter | ||
58 | meta l4proto tcp ct state new counter reject with tcp reset | ||
59 | ct state new counter reject | ||
60 | |||
61 | |||
62 | counter | ||
63 | } | ||
64 | |||
65 | chain input { | ||
66 | type filter hook input priority filter | ||
67 | policy drop | ||
68 | |||
69 | |||
70 | ct state invalid log prefix "drop invalid input: " counter drop | ||
71 | |||
72 | |||
73 | iifname lo counter accept | ||
74 | iif != lo ip daddr 127.0.0.1/8 counter reject | ||
75 | iif != lo ip6 daddr ::1/128 counter reject | ||
76 | |||
77 | meta l4proto $icmp_protos limit name lim_icmp counter drop | ||
78 | meta l4proto $icmp_protos counter accept | ||
79 | |||
80 | ct state {established, related} counter accept | ||
81 | |||
82 | tcp dport 22 counter accept | ||
83 | meta protocol ip udp dport {51820, 51821} counter accept | ||
84 | udp dport 60000-61000 counter accept | ||
85 | |||
86 | |||
87 | limit name lim_reject log prefix "drop input: " counter drop | ||
88 | log prefix "reject input: " counter | ||
89 | meta l4proto tcp ct state new counter reject with tcp reset | ||
90 | ct state new counter reject | ||
91 | |||
92 | |||
93 | counter | ||
94 | } | ||
95 | |||
96 | chain output { | ||
97 | type filter hook output priority filter | ||
98 | policy accept | ||
99 | |||
100 | |||
101 | oifname lo counter accept | ||
102 | |||
103 | meta l4proto $icmp_protos limit name lim_icmp counter drop | ||
104 | meta l4proto $icmp_protos counter accept | ||
105 | |||
106 | |||
107 | counter | ||
108 | } | ||
109 | } \ No newline at end of file | ||