diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2023-04-13 11:50:37 +0200 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2023-04-13 13:35:46 +0200 |
| commit | 25494ff6c1d9efbc04549a51186bc4fb15c63b30 (patch) | |
| tree | 2d5486239bf48f05dfc69e083b1a144c8a3d27fa /config/networking | |
| parent | 389940b3ab47d6d2fedb3a6acbb767b37d635557 (diff) | |
networking: add firewall
Diffstat (limited to 'config/networking')
| -rw-r--r-- | config/networking/nat.nix | 21 | ||||
| -rw-r--r-- | config/networking/services/firewall.nix | 75 |
2 files changed, 75 insertions, 21 deletions
diff --git a/config/networking/nat.nix b/config/networking/nat.nix deleted file mode 100644 index 5bc0f79..0000000 --- a/config/networking/nat.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: - -let cfg = config.personal.networking; -in { - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - }; - - networking = { - nat = { - enable = true; - externalInterface = cfg.interfaces.eth; - internalInterfaces = [ - cfg.interfaces.wlp2ghz - cfg.interfaces.wlp5ghz - ]; - }; - - firewall.enable = false; - }; -} diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix new file mode 100644 index 0000000..767e122 --- /dev/null +++ b/config/networking/services/firewall.nix @@ -0,0 +1,75 @@ +{ config, ... }: + +let cfg = config.personal.networking; + ifaces = cfg.interfaces; +in { + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + }; + + networking = { + nftables = { + enable = true; + ruleset = '' + table ip global { + chain inbound_public { + icmp type echo-request limit rate 5/second accept + } + chain inbound_private { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { tcp . 22 \ + , udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound_iot { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound { + type filter hook input priority 0; policy drop; + icmp type echo-request limit rate 5/second accept + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta iifname vmap { lo : accept \ + , ${ifaces.eth} : jump inbound_public \ + , ${ifaces.wlp5ghz} : jump inbound_private \ + , ${ifaces.wlp2ghz} : jump inbound_iot } + } + + chain forward { + type filter hook input priority 0; policy drop; + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta oifname ${ifaces.eth} accept + meta iifname ${ifaces.wlp5ghz} accept + meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept + } + } + + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + meta oifname ${ifaces.eth} masquerade + } + } + + table ip6 global6 { + chain input { + type filter hook input priority 0; policy drop; + } + chain forward { + type filter hook forward priority 0; policy drop; + } + } + ''; + }; + + firewall.enable = false; + }; +} + |