diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/sif/default.nix | 4 | ||||
| -rw-r--r-- | hosts/sif/ruleset.nft | 10 |
2 files changed, 12 insertions, 2 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index c55cc7a8..bde5cdf8 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -288,8 +288,8 @@ in { | |||
| 288 | bogus-priv = true; | 288 | bogus-priv = true; |
| 289 | no-hosts = true; | 289 | no-hosts = true; |
| 290 | listen-address = [ "192.168.122.1" "fd45:febc:b028::" ]; | 290 | listen-address = [ "192.168.122.1" "fd45:febc:b028::" ]; |
| 291 | interface = "virbr0"; | 291 | # interface = "virbr0"; |
| 292 | except-interface = "lo"; | 292 | # except-interface = "lo"; |
| 293 | bind-interfaces = true; | 293 | bind-interfaces = true; |
| 294 | domain = "libvirt,192.168.122.0/24"; | 294 | domain = "libvirt,192.168.122.0/24"; |
| 295 | dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ]; | 295 | dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ]; |
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index e2ac45c6..33c17253 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft | |||
| @@ -90,6 +90,7 @@ table inet filter { | |||
| 90 | counter libvirt-dns {} | 90 | counter libvirt-dns {} |
| 91 | 91 | ||
| 92 | 92 | ||
| 93 | chain forward_tmp {} | ||
| 93 | chain forward { | 94 | chain forward { |
| 94 | type filter hook forward priority filter | 95 | type filter hook forward priority filter |
| 95 | policy drop | 96 | policy drop |
| @@ -100,6 +101,8 @@ table inet filter { | |||
| 100 | 101 | ||
| 101 | iifname lo counter name fw-lo accept | 102 | iifname lo counter name fw-lo accept |
| 102 | 103 | ||
| 104 | jump forward_tmp | ||
| 105 | |||
| 103 | iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept | 106 | iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept |
| 104 | oifname virbr0 ct state {established, related} counter name fw-libvirt accept | 107 | oifname virbr0 ct state {established, related} counter name fw-libvirt accept |
| 105 | 108 | ||
| @@ -110,6 +113,7 @@ table inet filter { | |||
| 110 | ct state new counter name reject-icmp-fw reject | 113 | ct state new counter name reject-icmp-fw reject |
| 111 | } | 114 | } |
| 112 | 115 | ||
| 116 | chain input_tmp {} | ||
| 113 | chain input { | 117 | chain input { |
| 114 | type filter hook input priority filter | 118 | type filter hook input priority filter |
| 115 | policy drop | 119 | policy drop |
| @@ -125,6 +129,8 @@ table inet filter { | |||
| 125 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop | 129 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop |
| 126 | meta l4proto $icmp_protos counter name icmp-rx accept | 130 | meta l4proto $icmp_protos counter name icmp-rx accept |
| 127 | 131 | ||
| 132 | jump input_tmp | ||
| 133 | |||
| 128 | tcp dport 22 counter name ssh-rx accept | 134 | tcp dport 22 counter name ssh-rx accept |
| 129 | udp dport 60000-61000 counter name mosh-rx accept | 135 | udp dport 60000-61000 counter name mosh-rx accept |
| 130 | 136 | ||
| @@ -180,11 +186,13 @@ table inet filter { | |||
| 180 | table ip nat { | 186 | table ip nat { |
| 181 | counter libvirt-nat {} | 187 | counter libvirt-nat {} |
| 182 | 188 | ||
| 189 | chain postrouting_tmp {} | ||
| 183 | chain postrouting { | 190 | chain postrouting { |
| 184 | type nat hook postrouting priority srcnat | 191 | type nat hook postrouting priority srcnat |
| 185 | policy accept | 192 | policy accept |
| 186 | 193 | ||
| 187 | iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade | 194 | iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade |
| 195 | jump postrouting_tmp | ||
| 188 | } | 196 | } |
| 189 | } | 197 | } |
| 190 | 198 | ||
| @@ -202,10 +210,12 @@ table ip6 nat { | |||
| 202 | table ip mss_clamp { | 210 | table ip mss_clamp { |
| 203 | counter libvirt-mss-clamp {} | 211 | counter libvirt-mss-clamp {} |
| 204 | 212 | ||
| 213 | chain postrouting_tmp {} | ||
| 205 | chain postrouting { | 214 | chain postrouting { |
| 206 | type filter hook postrouting priority mangle | 215 | type filter hook postrouting priority mangle |
| 207 | policy accept | 216 | policy accept |
| 208 | 217 | ||
| 209 | iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu | 218 | iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu |
| 219 | jump postrouting_tmp | ||
| 210 | } | 220 | } |
| 211 | } | 221 | } |