From ae278d745dd8eca94374b27c1fa9a977e54c23c2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 12 Mar 2022 18:40:38 +0100 Subject: vidhar: netboot installer --- installer/default.nix | 32 +++++++++++++++++ installer/ruleset.nft | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 installer/default.nix create mode 100644 installer/ruleset.nft (limited to 'installer') diff --git a/installer/default.nix b/installer/default.nix new file mode 100644 index 00000000..bf09c8d8 --- /dev/null +++ b/installer/default.nix @@ -0,0 +1,32 @@ +{ flake, pkgs, ... }: { + imports = with flake.nixosModules.systemProfiles; [ + default-locale zfs networkmanager openssh + ]; + + config = { + networking = { + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.openssh = { + enable = true; + staticHostKeys = false; + }; + + services.qemuGuest.enable = true; + + services.resolved = { + llmnr = "false"; + }; + + environment.systemPackages = with pkgs; [ + nvme-cli iotop mosh + ]; + + zramSwap.enable = true; + }; +} diff --git a/installer/ruleset.nft b/installer/ruleset.nft new file mode 100644 index 00000000..4de54dd7 --- /dev/null +++ b/installer/ruleset.nft @@ -0,0 +1,98 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + + limit name lim_reject log level debug prefix "drop forward: " counter drop + log level debug prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60000-61000 counter accept + + + limit name lim_reject log level debug prefix "drop input: " counter drop + log level debug prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} \ No newline at end of file -- cgit v1.2.3