diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-04 08:35:56 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-04 08:36:23 +0200 |
commit | fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e (patch) | |
tree | 17d5264f10faa3e967bed27976d6e1966f0a1228 /hosts | |
parent | 14003a8016ef6572a85541010e8e0b955d4bc9cd (diff) | |
download | nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar.gz nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar.bz2 nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar.xz nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.zip |
sif: nftables
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/sif/default.nix | 14 | ||||
-rw-r--r-- | hosts/sif/ruleset.nft | 157 |
2 files changed, 167 insertions, 4 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 11f74373..bcfa1e10 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -65,13 +65,19 @@ in { | |||
65 | "::1" = [ "sif.yggdrasil" "sif" ]; | 65 | "::1" = [ "sif.yggdrasil" "sif" ]; |
66 | }; | 66 | }; |
67 | 67 | ||
68 | firewall = { | 68 | firewall.enable = false; |
69 | nftables = { | ||
69 | enable = true; | 70 | enable = true; |
70 | allowedTCPPorts = [ 22 # ssh | 71 | rulesetFile = ./ruleset.nft; |
71 | 8000 # quickserve | ||
72 | ]; | ||
73 | }; | 72 | }; |
74 | 73 | ||
74 | # firewall = { | ||
75 | # enable = true; | ||
76 | # allowedTCPPorts = [ 22 # ssh | ||
77 | # 8000 # quickserve | ||
78 | # ]; | ||
79 | # }; | ||
80 | |||
75 | # wlanInterfaces = { | 81 | # wlanInterfaces = { |
76 | # wlan0 = { | 82 | # wlan0 = { |
77 | # device = "wlp82s0"; | 83 | # device = "wlp82s0"; |
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft new file mode 100644 index 00000000..62fa90db --- /dev/null +++ b/hosts/sif/ruleset.nft | |||
@@ -0,0 +1,157 @@ | |||
1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | ||
2 | |||
3 | table arp filter { | ||
4 | limit lim_arp { | ||
5 | rate over 50 mbytes/second burst 50 mbytes | ||
6 | } | ||
7 | |||
8 | counter arp-rx {} | ||
9 | counter arp-tx {} | ||
10 | |||
11 | counter arp-ratelimit-rx {} | ||
12 | counter arp-ratelimit-tx {} | ||
13 | |||
14 | chain input { | ||
15 | type filter hook input priority filter | ||
16 | policy accept | ||
17 | |||
18 | limit name lim_arp counter name arp-ratelimit-rx drop | ||
19 | |||
20 | counter name arp-rx | ||
21 | } | ||
22 | |||
23 | chain output { | ||
24 | type filter hook output priority filter | ||
25 | policy accept | ||
26 | |||
27 | limit name lim_arp counter name arp-ratelimit-tx drop | ||
28 | |||
29 | counter name arp-tx | ||
30 | } | ||
31 | } | ||
32 | |||
33 | table inet filter { | ||
34 | limit lim_reject { | ||
35 | rate over 1000/second burst 1000 packets | ||
36 | } | ||
37 | |||
38 | limit lim_icmp { | ||
39 | rate over 50 mbytes/second burst 50 mbytes | ||
40 | } | ||
41 | |||
42 | counter invalid-fw {} | ||
43 | |||
44 | counter reject-ratelimit-fw {} | ||
45 | counter reject-fw {} | ||
46 | counter reject-tcp-fw {} | ||
47 | counter reject-icmp-fw {} | ||
48 | |||
49 | |||
50 | counter invalid-rx {} | ||
51 | counter rx-lo {} | ||
52 | counter invalid-local4-rx {} | ||
53 | counter invalid-local6-rx {} | ||
54 | |||
55 | counter icmp-ratelimit-rx {} | ||
56 | counter icmp-rx {} | ||
57 | |||
58 | counter ssh-rx {} | ||
59 | counter mosh-rx {} | ||
60 | counter wg-rx {} | ||
61 | counter yggdrasil-gre-rx {} | ||
62 | counter quickserve-rx {} | ||
63 | |||
64 | counter established-rx {} | ||
65 | |||
66 | counter reject-ratelimit-rx {} | ||
67 | counter reject-rx {} | ||
68 | counter reject-tcp-rx {} | ||
69 | counter reject-icmp-rx {} | ||
70 | |||
71 | |||
72 | counter tx-lo {} | ||
73 | |||
74 | counter icmp-ratelimit-tx {} | ||
75 | counter icmp-tx {} | ||
76 | |||
77 | counter ssh-tx {} | ||
78 | counter mosh-tx {} | ||
79 | counter wg-tx {} | ||
80 | counter yggdrasil-gre-tx {} | ||
81 | counter quickserve-tx {} | ||
82 | |||
83 | counter tx {} | ||
84 | |||
85 | |||
86 | chain forward { | ||
87 | type filter hook forward priority filter | ||
88 | policy drop | ||
89 | |||
90 | |||
91 | ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop | ||
92 | |||
93 | |||
94 | iifname lo counter name fw-lo accept | ||
95 | |||
96 | |||
97 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | ||
98 | log level debug prefix "reject forward: " counter name reject-fw | ||
99 | meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset | ||
100 | ct state new counter name reject-icmp-fw reject | ||
101 | } | ||
102 | |||
103 | chain input { | ||
104 | type filter hook input priority filter | ||
105 | policy drop | ||
106 | |||
107 | |||
108 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | ||
109 | |||
110 | |||
111 | iifname lo counter name rx-lo accept | ||
112 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | ||
113 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | ||
114 | |||
115 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop | ||
116 | meta l4proto $icmp_protos counter name icmp-rx accept | ||
117 | |||
118 | tcp dport 22 counter name ssh-rx accept | ||
119 | udp dport 60001-61000 counter name mosh-rx accept | ||
120 | |||
121 | tcp dport 8000 counter name quickserve-rx accept | ||
122 | |||
123 | udp dport 51820-51822 counter name wg-rx accept | ||
124 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | ||
125 | |||
126 | ct state {established, related} counter name established-rx accept | ||
127 | |||
128 | |||
129 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | ||
130 | log level debug prefix "reject input: " counter name reject-rx | ||
131 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
132 | ct state new counter name reject-icmp-rx reject | ||
133 | } | ||
134 | |||
135 | chain output { | ||
136 | type filter hook output priority filter | ||
137 | policy accept | ||
138 | |||
139 | |||
140 | oifname lo counter name tx-lo accept | ||
141 | |||
142 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop | ||
143 | meta l4proto $icmp_protos counter name icmp-tx accept | ||
144 | |||
145 | |||
146 | tcp sport 22 counter name ssh-tx | ||
147 | udp sport 60001-61000 counter name mosh-tx | ||
148 | |||
149 | udp sport 51820-51822 counter name wg-tx | ||
150 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | ||
151 | |||
152 | tcp sport 8000 counter name http-tx accept | ||
153 | |||
154 | |||
155 | counter name tx | ||
156 | } | ||
157 | } | ||