picnoir/nom-nom-nix-gc
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
nom-nom-nix-gc/modules/dundies/nftables.nix

153 lines
4.8 KiB
Nix
Raw Blame History

{ pkgs, lib, config, ...}:
{
networking.nftables = {
enable = true;
checkRuleset = false;
ruleset = let
nfListFormat = xs: "{" + (lib.strings.concatStringsSep "," xs) + "}";
localUdpList = [
# DHCP
"67"
# DNS
"53"
# Avahi
"5353" "4819"
# Samba
"137" "138"
];
localTcpList = [
# DNS
"53"
# Samba
"139" "445"
# Avahi
"5353" "4819"
# Transmission
"9091"
];
globalTcpList = [
"22"
"80"
"443"
];
globalUdpList = [
# Extended Lan WG
"51822"
# Flokli WG
"51821"
# Garage WG
"51830"
];
in ''
table ip filter {
# Block all incomming connections traffic except SSH and "ping".
chain input {
type filter hook input priority 0
policy drop
# accept any localhost traffic
iifname "lo" accept
# dropping traffic to local host not coming from localhost
iif != lo ip daddr 127.0.0.1/8 drop
iif != {eno2} ip daddr 192.168.21.0/24 drop
iif != {eno2} ip daddr 192.168.20.0/24 drop
# ICMp
ip protocol icmp accept
# accept traffic originated from us
ct state {established, related} accept
# allow "ping"
ip protocol icmp icmp type echo-request accept
# Mosh incoming udp range
udp dport 60000-61000 accept
ip saddr 192.168.1.0/24 udp dport ${nfListFormat localUdpList} accept
ip saddr 192.168.1.0/24 tcp dport ${nfListFormat localTcpList} accept
ip saddr 192.168.166.0/24 udp dport ${nfListFormat localUdpList} accept
ip saddr 192.168.166.0/24 tcp dport ${nfListFormat localTcpList} accept
tcp dport ${nfListFormat globalTcpList} accept
udp dport ${nfListFormat globalUdpList} accept
}
# Allow all outgoing connections.
chain output {
type filter hook output priority 0;
accept
}
chain prerouting {
type nat hook prerouting priority 0;
#tcp dport 667 dnat to 192.168.11.246
}
chain postrouting {
}
chain forward {
type filter hook forward priority 0;
# MSS clamp. (+20 bits for ipv6)
tcp flags syn tcp option maxseg size set rt mtu counter
accept
}
chain wan_masquerade {
type nat hook postrouting priority 100
oifname "eno1" masquerade
oifname "wg-stolon" masquerade
oifname "wg-dam64" masquerade
oifname "wg-flokli" masquerade
}
}
table ip6 filter {
# Block all incomming connections traffic except SSH and "ping".
chain input {
type filter hook input priority 0
policy drop
# accept any localhost traffic
iifname "lo" accept
# dropping traffic to local host not coming from localhost
iif != lo ip6 daddr ::1/128 drop
# ICMsss
ip6 nexthdr icmpv6 accept
# accept traffic originated from us
ct state {established, related} accept
# Global TCP
tcp dport ${nfListFormat globalTcpList} accept
# Global UDP
udp dport ${nfListFormat globalUdpList} accept
ip6 saddr 2a00:5880:1408:400::1/60 tcp dport ${nfListFormat localTcpList} accept
ip6 saddr 2a00:5880:1408:400::1/60 udp dport ${nfListFormat localUdpList} accept
# Mosh incoming udp range
udp dport 60000-61000 accept
# Local ports
iifname "wg-garage" tcp dport 3901 accept
}
# Allow all outgoing connections.
chain output {
type filter hook output priority 0;
accept
}
chain forward {
type filter hook forward priority 0;
policy drop
# # MSS clamp. (+20 bits for ipv6)
tcp flags syn tcp option maxseg size set rt mtu counter
# # ACCEPT traffic originated by the client
iifname "eno2" accept
iifname "wg-extended-lan" accept
iifname "wg-stolon" ct state related,established accept
iifname "enp1s0" ct state related,established accept
iifname "wg-dam64" ct state related,established accept
iifname "wg-flokli" ct state related,established accept
}
}
'';
};
}
Reference in a new issue View git blame Copy permalink