From 29480b6e86ca6057d4151accdb5d4103f1657596 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 4 Mar 2023 19:23:36 +0100 Subject: ... --- hosts/vidhar/printing/default.nix | 124 +++++++++++++++++++++++++ hosts/vidhar/printing/ruleset.nft | 185 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 309 insertions(+) create mode 100644 hosts/vidhar/printing/default.nix create mode 100644 hosts/vidhar/printing/ruleset.nft (limited to 'hosts/vidhar/printing') diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix new file mode 100644 index 00000000..0e0dfcf7 --- /dev/null +++ b/hosts/vidhar/printing/default.nix @@ -0,0 +1,124 @@ +{ config, lib, ... }: + +with lib; + +let + containerConfig = config.containers.printing.config; +in { + config = { + containers.printing = { + privateNetwork = true; + ephemeral = true; + autoStart = true; + hostAddress = "10.141.4.0"; + hostAddress6 = "2a03:4000:52:ada:4::"; + localAddress = "10.141.4.1"; + localAddress6 = "2a03:4000:52:ada:4::1"; + interfaces = [ "printer" ]; + config = let + hostConfig = config; + in { ... }: { + config = { + services = { + kea = { + dhcp4 = { + enable = true; + settings = { + valid-lifetime = 4000; + rebind-timer = 2000; + renew-timer = 1000; + + interfaces-config = { + interfaces = [ "printer" ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + + subnet4 = [ + { subnet = "10.141.3.0/24"; + option-data = [ + { name = "domain-name-servers"; + data = "10.141.4.0"; + } + { name = "ntp-servers"; + data = "10.141.4.0"; + } + { name = "broadcast-address"; + data = "10.141.3.255"; + } + { name = "routers"; + data = "10.141.3.1"; + } + { name = "domain-name"; + data = "yggdrasil"; + } + { name = "domain-search"; + data = "printer.yggdrasil, yggdrasil"; + } + ]; + pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ]; + reservations = [ + { hostname = "printer"; + hw-address = "30:cd:a7:b0:55:8d"; + ip-address = "10.141.3.2"; + } + ]; + } + ]; + }; + }; + }; + + printing = { + enable = true; + listenAddresses = [ + "*:631" + ]; + allowFrom = [ "all" ]; + extraConf = '' + ServerName printing + ServerAlias 10.141.4.1 2a03:4000:52:ada:4::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil + ''; + }; + + resolved.enable = false; + }; + + networking = { + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + + useDHCP = false; + useNetworkd = true; + + interfaces."printer" = { + ipv4.addresses = [ + { address = "10.141.3.1"; prefixLength = 24; } + ]; + }; + }; + + environment.etc."resolv.conf".text = '' + nameserver ${hostConfig.containers.printing.hostAddress6} + ''; + + system.stateVersion = hostConfig.system.stateVersion; + }; + }; + }; + + networking = { + vlans.printer = { + id = 5; + interface = "eno2"; + }; + }; + }; +} diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft new file mode 100644 index 00000000..c3027567 --- /dev/null +++ b/hosts/vidhar/printing/ruleset.nft @@ -0,0 +1,185 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter arp-rx {} + counter arp-tx {} + + counter arp-ratelimit-rx {} + counter arp-ratelimit-tx {} + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-rx drop + + counter name arp-rx + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-tx drop + + counter name arp-tx + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter invalid-fw {} + counter fw-lo {} + counter fw-printer {} + counter fw-host {} + + counter icmp-ratelimit-fw {} + + counter reject-ratelimit-fw {} + counter reject-fw {} + counter reject-tcp-fw {} + counter reject-icmp-fw {} + + counter drop-fw {} + + counter invalid-rx {} + + counter rx-lo {} + counter invalid-local4-rx {} + counter invalid-local6-rx {} + + counter icmp-ratelimit-rx {} + counter icmp-rx {} + + counter cups-rx {} + + counter established-rx {} + + counter reject-ratelimit-rx {} + counter reject-rx {} + counter reject-tcp-rx {} + counter reject-icmp-rx {} + + counter drop-rx {} + + counter tx-lo {} + + counter icmp-ratelimit-tx {} + counter icmp-tx {} + + counter cups-tx {} + + counter tx {} + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop + + + iifname lo counter name fw-lo accept + + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop + meta l4proto $icmp_protos counter name icmp-fw accept + + + iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept + iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept + iifname eth0 oifname printer counter fw-host accept + + + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop + log level debug prefix "reject forward: " counter name reject-fw + meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset + ct state new counter name reject-icmp-fw reject + + + counter name drop-fw + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop + + + iifname lo counter name rx-lo accept + iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject + iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop + meta l4proto $icmp_protos counter name icmp-rx accept + + + ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept + ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept + + ct state {established, related} counter name established-rx accept + + + limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop + log level debug prefix "reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject + + + counter name drop-rx + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter name tx-lo accept + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop + meta l4proto $icmp_protos counter name icmp-tx accept + + + tcp sport 631 counter name cups-tx accept + + + counter name tx + } +} + +table ip nat { + counter host-nat {} + + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + + oifname eth0 counter name host-nat masquerade + } +} + +table ip mss_clamp { + counter host-mss-clamp {} + + chain postrouting { + type filter hook postrouting priority mangle + policy accept + + + oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu + } +} -- cgit v1.2.3