153 lines
4.8 KiB
Nix
153 lines
4.8 KiB
Nix
{ pkgs, lib, config, ...}:
|
|
{
|
|
networking.nftables = {
|
|
enable = true;
|
|
checkRuleset = false;
|
|
ruleset = let
|
|
nfListFormat = xs: "{" + (lib.strings.concatStringsSep "," xs) + "}";
|
|
localUdpList = [
|
|
# DHCP
|
|
"67"
|
|
# DNS
|
|
"53"
|
|
# Avahi
|
|
"5353" "4819"
|
|
# Samba
|
|
"137" "138"
|
|
];
|
|
localTcpList = [
|
|
# DNS
|
|
"53"
|
|
# Samba
|
|
"139" "445"
|
|
# Avahi
|
|
"5353" "4819"
|
|
# Transmission
|
|
"9091"
|
|
];
|
|
globalTcpList = [
|
|
"22"
|
|
"80"
|
|
"443"
|
|
];
|
|
globalUdpList = [
|
|
# Extended Lan WG
|
|
"51822"
|
|
# Flokli WG
|
|
"51821"
|
|
# Garage WG
|
|
"51830"
|
|
];
|
|
in ''
|
|
table ip filter {
|
|
# Block all incomming connections traffic except SSH and "ping".
|
|
chain input {
|
|
type filter hook input priority 0
|
|
policy drop
|
|
|
|
# accept any localhost traffic
|
|
iifname "lo" accept
|
|
# dropping traffic to local host not coming from localhost
|
|
iif != lo ip daddr 127.0.0.1/8 drop
|
|
iif != {eno2} ip daddr 192.168.21.0/24 drop
|
|
iif != {eno2} ip daddr 192.168.20.0/24 drop
|
|
# ICMp
|
|
ip protocol icmp accept
|
|
|
|
# accept traffic originated from us
|
|
ct state {established, related} accept
|
|
|
|
# allow "ping"
|
|
ip protocol icmp icmp type echo-request accept
|
|
|
|
# Mosh incoming udp range
|
|
udp dport 60000-61000 accept
|
|
|
|
ip saddr 192.168.1.0/24 udp dport ${nfListFormat localUdpList} accept
|
|
ip saddr 192.168.1.0/24 tcp dport ${nfListFormat localTcpList} accept
|
|
ip saddr 192.168.166.0/24 udp dport ${nfListFormat localUdpList} accept
|
|
ip saddr 192.168.166.0/24 tcp dport ${nfListFormat localTcpList} accept
|
|
tcp dport ${nfListFormat globalTcpList} accept
|
|
udp dport ${nfListFormat globalUdpList} accept
|
|
}
|
|
|
|
# Allow all outgoing connections.
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
accept
|
|
}
|
|
chain prerouting {
|
|
type nat hook prerouting priority 0;
|
|
#tcp dport 667 dnat to 192.168.11.246
|
|
}
|
|
|
|
chain postrouting {
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
# MSS clamp. (+20 bits for ipv6)
|
|
tcp flags syn tcp option maxseg size set rt mtu counter
|
|
accept
|
|
}
|
|
chain wan_masquerade {
|
|
type nat hook postrouting priority 100
|
|
oifname "eno1" masquerade
|
|
oifname "wg-stolon" masquerade
|
|
oifname "wg-dam64" masquerade
|
|
oifname "wg-flokli" masquerade
|
|
}
|
|
}
|
|
|
|
table ip6 filter {
|
|
# Block all incomming connections traffic except SSH and "ping".
|
|
chain input {
|
|
type filter hook input priority 0
|
|
policy drop
|
|
|
|
# accept any localhost traffic
|
|
iifname "lo" accept
|
|
# dropping traffic to local host not coming from localhost
|
|
iif != lo ip6 daddr ::1/128 drop
|
|
|
|
# ICMsss
|
|
ip6 nexthdr icmpv6 accept
|
|
|
|
# accept traffic originated from us
|
|
ct state {established, related} accept
|
|
# Global TCP
|
|
tcp dport ${nfListFormat globalTcpList} accept
|
|
# Global UDP
|
|
udp dport ${nfListFormat globalUdpList} accept
|
|
ip6 saddr 2a00:5880:1408:400::1/60 tcp dport ${nfListFormat localTcpList} accept
|
|
ip6 saddr 2a00:5880:1408:400::1/60 udp dport ${nfListFormat localUdpList} accept
|
|
# Mosh incoming udp range
|
|
udp dport 60000-61000 accept
|
|
# Local ports
|
|
iifname "wg-garage" tcp dport 3901 accept
|
|
}
|
|
|
|
# Allow all outgoing connections.
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy drop
|
|
# # MSS clamp. (+20 bits for ipv6)
|
|
tcp flags syn tcp option maxseg size set rt mtu counter
|
|
# # ACCEPT traffic originated by the client
|
|
iifname "eno2" accept
|
|
iifname "wg-extended-lan" accept
|
|
iifname "wg-stolon" ct state related,established accept
|
|
iifname "enp1s0" ct state related,established accept
|
|
iifname "wg-dam64" ct state related,established accept
|
|
iifname "wg-flokli" ct state related,established accept
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
}
|