diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2023-04-13 14:20:22 +0200 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2023-04-13 14:20:22 +0200 |
| commit | dbb6444b03bacb9479560e8cd87ebe2776d348b3 (patch) | |
| tree | 9a3bc95bfdbc63bc1695af987e7b0377b9661c37 /config/networking/services/firewall.nix | |
| parent | 25494ff6c1d9efbc04549a51186bc4fb15c63b30 (diff) | |
networking: restructure personal.networking modules
Diffstat (limited to 'config/networking/services/firewall.nix')
| -rw-r--r-- | config/networking/services/firewall.nix | 111 |
1 files changed, 54 insertions, 57 deletions
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix index 767e122..1d8a297 100644 --- a/config/networking/services/firewall.nix +++ b/config/networking/services/firewall.nix @@ -1,75 +1,72 @@ { config, ... }: -let cfg = config.personal.networking; - ifaces = cfg.interfaces; +let nets = config.personal.networking.networks; in { - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - }; + boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; networking = { nftables = { enable = true; - ruleset = '' - table ip global { - chain inbound_public { - icmp type echo-request limit rate 5/second accept - } - chain inbound_private { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { tcp . 22 \ - , udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept - } - chain inbound_iot { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept - } - chain inbound { - type filter hook input priority 0; policy drop; - icmp type echo-request limit rate 5/second accept - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta iifname vmap { lo : accept \ - , ${ifaces.eth} : jump inbound_public \ - , ${ifaces.wlp5ghz} : jump inbound_private \ - , ${ifaces.wlp2ghz} : jump inbound_iot } - } + ruleset = with nets; '' + table ip global { + chain inbound_lan { + icmp type echo-request limit rate 5/second accept + } + chain inbound_wan { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { tcp . 22 \ + , udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound_iot { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound { + type filter hook input priority 0; policy drop; + icmp type echo-request limit rate 5/second accept + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta iifname vmap { lo : accept \ + , ${lan.interface} : jump inbound_lan \ + , ${wan.interface} : jump inbound_wan \ + , ${iot.interface} : jump inbound_iot } + } - chain forward { - type filter hook input priority 0; policy drop; - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta oifname ${ifaces.eth} accept - meta iifname ${ifaces.wlp5ghz} accept - meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept + chain forward { + type filter hook input priority 0; policy drop; + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta oifname ${lan.interface} accept + meta iifname ${wan.interface} accept + meta iifname ${iot.interface} meta oifname ${iot.interface} accept + } } - } - table ip nat { - chain postrouting { - type nat hook postrouting priority 100; policy accept; - meta oifname ${ifaces.eth} masquerade + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + meta oifname ${lan.interface} masquerade + } } - } - table ip6 global6 { - chain input { - type filter hook input priority 0; policy drop; - } - chain forward { - type filter hook forward priority 0; policy drop; - } - } + table ip6 global6 { + chain input { + type filter hook input priority 0; policy drop; + } + chain forward { + type filter hook forward priority 0; policy drop; + } + } ''; }; firewall.enable = false; }; } - + |