mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2026-04-14 13:19:09 +02:00
75 lines
1.9 KiB
Nix
75 lines
1.9 KiB
Nix
{ lib, config, confLib, ... }:
|
|
let
|
|
inherit (confLib.gen { name = "nftables"; }) serviceName;
|
|
in
|
|
{
|
|
options = {
|
|
swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
|
};
|
|
config = lib.mkIf config.swarselmodules.${serviceName} {
|
|
|
|
networking.nftables = {
|
|
stopRuleset = lib.mkDefault ''
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
ct state invalid drop
|
|
ct state {established, related} accept
|
|
|
|
iifname lo accept
|
|
meta l4proto ipv6-icmp accept
|
|
meta l4proto icmp accept
|
|
ip protocol igmp accept
|
|
tcp dport ${toString (lib.head config.services.openssh.ports)} accept
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
}
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
}
|
|
}
|
|
'';
|
|
|
|
firewall = {
|
|
enable = true;
|
|
localZoneName = "local";
|
|
snippets = {
|
|
nnf-common.enable = false;
|
|
nnf-conntrack.enable = true;
|
|
nnf-drop.enable = true;
|
|
nnf-loopback.enable = true;
|
|
nnf-ssh.enable = true;
|
|
nnf-dhcpv6.enable = true;
|
|
};
|
|
|
|
rules.untrusted-to-local = {
|
|
from = [ "untrusted" ];
|
|
to = [ "local" ];
|
|
|
|
inherit (config.networking.firewall)
|
|
allowedTCPPorts
|
|
allowedTCPPortRanges
|
|
allowedUDPPorts
|
|
allowedUDPPortRanges
|
|
;
|
|
};
|
|
|
|
rules.icmp-and-igmp = {
|
|
after = [
|
|
"ct"
|
|
"ssh"
|
|
];
|
|
from = "all";
|
|
to = [ "local" ];
|
|
extraLines = [
|
|
"meta l4proto ipv6-icmp accept"
|
|
"meta l4proto icmp accept"
|
|
"ip protocol igmp accept"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
};
|
|
}
|