From fd78bbb4ce5a9634e1f8c51b82ccfa958e10b45e Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 4 May 2022 08:35:56 +0200 Subject: sif: nftables --- hosts/sif/default.nix | 14 +++-- hosts/sif/ruleset.nft | 157 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+), 4 deletions(-) create mode 100644 hosts/sif/ruleset.nft (limited to 'hosts') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 11f74373..bcfa1e10 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -65,13 +65,19 @@ in { "::1" = [ "sif.yggdrasil" "sif" ]; }; - firewall = { + firewall.enable = false; + nftables = { enable = true; - allowedTCPPorts = [ 22 # ssh - 8000 # quickserve - ]; + rulesetFile = ./ruleset.nft; }; + # firewall = { + # enable = true; + # allowedTCPPorts = [ 22 # ssh + # 8000 # quickserve + # ]; + # }; + # wlanInterfaces = { # wlan0 = { # device = "wlp82s0"; diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft new file mode 100644 index 00000000..62fa90db --- /dev/null +++ b/hosts/sif/ruleset.nft @@ -0,0 +1,157 @@ +define icmp_protos = { ipv6-icmp, icmp, igmp } + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter arp-rx {} + counter arp-tx {} + + counter arp-ratelimit-rx {} + counter arp-ratelimit-tx {} + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-rx drop + + counter name arp-rx + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-tx drop + + counter name arp-tx + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter invalid-fw {} + + counter reject-ratelimit-fw {} + counter reject-fw {} + counter reject-tcp-fw {} + counter reject-icmp-fw {} + + + counter invalid-rx {} + counter rx-lo {} + counter invalid-local4-rx {} + counter invalid-local6-rx {} + + counter icmp-ratelimit-rx {} + counter icmp-rx {} + + counter ssh-rx {} + counter mosh-rx {} + counter wg-rx {} + counter yggdrasil-gre-rx {} + counter quickserve-rx {} + + counter established-rx {} + + counter reject-ratelimit-rx {} + counter reject-rx {} + counter reject-tcp-rx {} + counter reject-icmp-rx {} + + + counter tx-lo {} + + counter icmp-ratelimit-tx {} + counter icmp-tx {} + + counter ssh-tx {} + counter mosh-tx {} + counter wg-tx {} + counter yggdrasil-gre-tx {} + counter quickserve-tx {} + + counter tx {} + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop + + + iifname lo counter name fw-lo accept + + + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop + log level debug prefix "reject forward: " counter name reject-fw + meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset + ct state new counter name reject-icmp-fw reject + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop + + + iifname lo counter name rx-lo accept + iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject + iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop + meta l4proto $icmp_protos counter name icmp-rx accept + + tcp dport 22 counter name ssh-rx accept + udp dport 60001-61000 counter name mosh-rx accept + + tcp dport 8000 counter name quickserve-rx accept + + udp dport 51820-51822 counter name wg-rx accept + iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept + + ct state {established, related} counter name established-rx accept + + + limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop + log level debug prefix "reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter name tx-lo accept + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop + meta l4proto $icmp_protos counter name icmp-tx accept + + + tcp sport 22 counter name ssh-tx + udp sport 60001-61000 counter name mosh-tx + + udp sport 51820-51822 counter name wg-tx + iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx + + tcp sport 8000 counter name http-tx accept + + + counter name tx + } +} -- cgit v1.2.3