summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-05-04 08:35:56 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-05-04 08:36:23 +0200
commitfd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e (patch)
tree17d5264f10faa3e967bed27976d6e1966f0a1228 /hosts
parent14003a8016ef6572a85541010e8e0b955d4bc9cd (diff)
downloadnixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar
nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar.gz
nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar.bz2
nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.tar.xz
nixos-fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e.zip
sif: nftables
Diffstat (limited to 'hosts')
-rw-r--r--hosts/sif/default.nix14
-rw-r--r--hosts/sif/ruleset.nft157
2 files changed, 167 insertions, 4 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 11f74373..bcfa1e10 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -65,13 +65,19 @@ in {
65 "::1" = [ "sif.yggdrasil" "sif" ]; 65 "::1" = [ "sif.yggdrasil" "sif" ];
66 }; 66 };
67 67
68 firewall = { 68 firewall.enable = false;
69 nftables = {
69 enable = true; 70 enable = true;
70 allowedTCPPorts = [ 22 # ssh 71 rulesetFile = ./ruleset.nft;
71 8000 # quickserve
72 ];
73 }; 72 };
74 73
74 # firewall = {
75 # enable = true;
76 # allowedTCPPorts = [ 22 # ssh
77 # 8000 # quickserve
78 # ];
79 # };
80
75 # wlanInterfaces = { 81 # wlanInterfaces = {
76 # wlan0 = { 82 # wlan0 = {
77 # device = "wlp82s0"; 83 # device = "wlp82s0";
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
new file mode 100644
index 00000000..62fa90db
--- /dev/null
+++ b/hosts/sif/ruleset.nft
@@ -0,0 +1,157 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp }
2
3table arp filter {
4 limit lim_arp {
5 rate over 50 mbytes/second burst 50 mbytes
6 }
7
8 counter arp-rx {}
9 counter arp-tx {}
10
11 counter arp-ratelimit-rx {}
12 counter arp-ratelimit-tx {}
13
14 chain input {
15 type filter hook input priority filter
16 policy accept
17
18 limit name lim_arp counter name arp-ratelimit-rx drop
19
20 counter name arp-rx
21 }
22
23 chain output {
24 type filter hook output priority filter
25 policy accept
26
27 limit name lim_arp counter name arp-ratelimit-tx drop
28
29 counter name arp-tx
30 }
31}
32
33table inet filter {
34 limit lim_reject {
35 rate over 1000/second burst 1000 packets
36 }
37
38 limit lim_icmp {
39 rate over 50 mbytes/second burst 50 mbytes
40 }
41
42 counter invalid-fw {}
43
44 counter reject-ratelimit-fw {}
45 counter reject-fw {}
46 counter reject-tcp-fw {}
47 counter reject-icmp-fw {}
48
49
50 counter invalid-rx {}
51 counter rx-lo {}
52 counter invalid-local4-rx {}
53 counter invalid-local6-rx {}
54
55 counter icmp-ratelimit-rx {}
56 counter icmp-rx {}
57
58 counter ssh-rx {}
59 counter mosh-rx {}
60 counter wg-rx {}
61 counter yggdrasil-gre-rx {}
62 counter quickserve-rx {}
63
64 counter established-rx {}
65
66 counter reject-ratelimit-rx {}
67 counter reject-rx {}
68 counter reject-tcp-rx {}
69 counter reject-icmp-rx {}
70
71
72 counter tx-lo {}
73
74 counter icmp-ratelimit-tx {}
75 counter icmp-tx {}
76
77 counter ssh-tx {}
78 counter mosh-tx {}
79 counter wg-tx {}
80 counter yggdrasil-gre-tx {}
81 counter quickserve-tx {}
82
83 counter tx {}
84
85
86 chain forward {
87 type filter hook forward priority filter
88 policy drop
89
90
91 ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
92
93
94 iifname lo counter name fw-lo accept
95
96
97 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
98 log level debug prefix "reject forward: " counter name reject-fw
99 meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
100 ct state new counter name reject-icmp-fw reject
101 }
102
103 chain input {
104 type filter hook input priority filter
105 policy drop
106
107
108 ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
109
110
111 iifname lo counter name rx-lo accept
112 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
113 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
114
115 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
116 meta l4proto $icmp_protos counter name icmp-rx accept
117
118 tcp dport 22 counter name ssh-rx accept
119 udp dport 60001-61000 counter name mosh-rx accept
120
121 tcp dport 8000 counter name quickserve-rx accept
122
123 udp dport 51820-51822 counter name wg-rx accept
124 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
125
126 ct state {established, related} counter name established-rx accept
127
128
129 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
130 log level debug prefix "reject input: " counter name reject-rx
131 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
132 ct state new counter name reject-icmp-rx reject
133 }
134
135 chain output {
136 type filter hook output priority filter
137 policy accept
138
139
140 oifname lo counter name tx-lo accept
141
142 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
143 meta l4proto $icmp_protos counter name icmp-tx accept
144
145
146 tcp sport 22 counter name ssh-tx
147 udp sport 60001-61000 counter name mosh-tx
148
149 udp sport 51820-51822 counter name wg-tx
150 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
151
152 tcp sport 8000 counter name http-tx accept
153
154
155 counter name tx
156 }
157}