From 8124337c5182b02e3057ebde1213050d4a714a0f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 8 Dec 2021 17:59:52 +0100 Subject: vidhar: nftables... --- hosts/vidhar/default.nix | 50 ++-------------------------------- hosts/vidhar/ruleset.nft | 71 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 47 deletions(-) create mode 100644 hosts/vidhar/ruleset.nft (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 622c2c54..e05b9416 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -78,54 +78,10 @@ ]; }; - firewall = { + firewall.enable = false; + nftables = { enable = true; - package = pkgs.iptables-nftables-compat; - allowPing = true; - allowedTCPPorts = [ - 22 # ssh - ]; - allowedUDPPorts = [ - 51820 # wireguard - ]; - allowedUDPPortRanges = [ - { from = 60000; to = 61000; } # mosh - ]; - extraCommands = '' - ip46tables -D FORWARD -j nixos-fw-forward 2>/dev/null || true - ip46tables -F nixos-fw-forward 2>/dev/null || true - ip46tables -X nixos-fw-forward 2>/dev/null || true - ip46tables -N nixos-fw-forward - - ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT - ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse - ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse - ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT - - ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse - ip46tables -A FORWARD -j nixos-fw-forward - - - ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true - ip46tables -t nat -F nixos-fw-postrouting 2>/dev/null || true - ip46tables -t nat -X nixos-fw-postrouting 2>/dev/null || true - ip46tables -t nat -N nixos-fw-postrouting - - iptables -t nat -A nixos-fw-postrouting -o dsl -j MASQUERADE - - ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting - - - ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true - ip46tables -t mangle -F nixos-fw-postrouting 2>/dev/null || true - ip46tables -t mangle -X nixos-fw-postrouting 2>/dev/null || true - - ip46tables -t mangle -N nixos-fw-postrouting - ip46tables -t mangle -A nixos-fw-postrouting -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting - ''; + rulesetFile = ./ruleset.nft; }; }; diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft new file mode 100644 index 00000000..ae91af00 --- /dev/null +++ b/hosts/vidhar/ruleset.nft @@ -0,0 +1,71 @@ +table inet filter { + chain forward { + type filter hook forward priority filter + policy drop + + + iifname eno1 accept + + ct state {established, related} accept + + meta l4proto ipv6-icmp accept + meta l4proto icmp accept + meta l4proto igmp accept + + + log prefix "drop forward:" + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + iifname lo accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + + ct state {established, related} accept + + tcp dport 22 accept + udp dport 51820 accept + udp dport 60000-61000 accept + + meta l4proto ipv6-icmp accept + meta l4proto icmp accept + meta l4proto igmp accept + + log prefix "drop input:" + counter + } + + chain output { + type filter hook output priority filter + policy accept + + counter + } +} + +table ip nat { + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + oifname dsl counter masquerade + + counter + } +} + +table inet mangle { + chain postrouting { + type filter hook postrouting priority mangle + policy accept + + oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu + + counter + } +} \ No newline at end of file -- cgit v1.2.3