diff options
| -rw-r--r-- | config/networking/default.nix | 52 | ||||
| -rw-r--r-- | config/networking/services/dhcp.nix | 2 | ||||
| -rw-r--r-- | config/networking/services/firewall.nix | 99 |
3 files changed, 92 insertions, 61 deletions
diff --git a/config/networking/default.nix b/config/networking/default.nix index 0692e6b..ea7e17e 100644 --- a/config/networking/default.nix +++ b/config/networking/default.nix @@ -7,29 +7,33 @@ in { imports = [ ./services ]; options.personal.networking = { - interfaces = lib.mkOption { + networks = lib.mkOption { type = with lib.types; attrsOf (submodule { - interface = lib.mkOption { - type = lib.types.str; - description = "Name of the network interface."; - example = "enp4s0"; - }; - subnet = lib.mkOption { - type = lib.types.str; - description = "IPv4 subnet of the network."; - example = "192.168.1"; - }; - machines = lib.mkOption { - type = with lib.types; - attrsOf (submodule { - address = lib.mkOption { - type = lib.types.str; - description = "IP address of this machine."; - example = "192.168.1.1"; - }; - }); - description = "Some machines connected to this network."; + options = { + interface = lib.mkOption { + type = lib.types.str; + description = "Name of the network interface."; + example = "enp4s0"; + }; + subnet = lib.mkOption { + type = lib.types.str; + description = "IPv4 subnet of the network."; + example = "192.168.1"; + }; + machines = lib.mkOption { + type = with lib.types; + attrsOf (submodule { + options = { + address = lib.mkOption { + type = lib.types.str; + description = "IP address of this machine."; + example = "192.168.1.1"; + }; + }; + }); + description = "Some machines connected to this network."; + }; }; }); description = "Networks this device belongs to."; @@ -65,7 +69,7 @@ in { networking = { hostName = "kerberos"; domain = "local"; - nameserver = [ cfg.networks.lan.machines.livebox.address ]; + nameservers = [ cfg.networks.lan.machines.livebox.address ]; defaultGateway = with cfg.networks.lan; { inherit interface; @@ -76,8 +80,8 @@ in { interfaces = lib.concatMapAttrs (name: value: { "${value.interface}" = { useDHCP = false; - ipv4.address = lib.optional (value.machines ? self) { - inherit (value.machines) address; + ipv4.addresses = lib.optional (value.machines ? self) { + inherit (value.machines.self) address; prefixLength = 24; }; }; diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix index cca9328..15dce43 100644 --- a/config/networking/services/dhcp.nix +++ b/config/networking/services/dhcp.nix @@ -6,7 +6,7 @@ let option broadcast-address ${network.subnet}.255; option routers ${network.machines.self.address}; interface ${network.interface}; - range ${network.subnet}.10 ${network.subnet}.99 + range ${network.subnet}.10 ${network.subnet}.99; } ''; in { diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix index 30b1a93..2dcf452 100644 --- a/config/networking/services/firewall.nix +++ b/config/networking/services/firewall.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: let nets = config.personal.networking.networks; in { @@ -38,21 +38,30 @@ in { chain sonos_app { # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 - ip protocol . th sport . th dport \ - { tcp . { 1400, 3400, 3401, 3500 } \ - . { 1400, 3400, 3401, 3500 } \ - , udp . 1900-1901 \ - . 1900-1901 } \ + ip protocol tcp \ + tcp sport { 1400, 3400, 3401, 3500 } \ + tcp dport { 1400, 3400, 3401, 3500 } \ + accept comment "sonos: app control" + ip protocol udp \ + udp sport 1900-1901 \ + udp dport 1900-1901 \ accept comment "sonos: app control" } chain sonos { # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 - ip protocol . th sport . th dport vmap \ - { tcp . 4444 . 4444 : comment "sonos: system updates" \ - , udp . 6969 . 6969 : comment "sonos: setup" \ - , udp . { 32412, 32414 } \ - . { 32412, 32414 } : comment "sonos" } accept + ip protocol tcp \ + tcp sport 4444 \ + tcp dport 4444 \ + accept comment "sonos: system updates" + ip protocol udp \ + udp sport 6969 \ + udp dport 6969 \ + accept comment "sonos: setup" + ip protocol udp \ + udp sport { 32413, 32414 } \ + udp dport { 32412, 32414 } \ + accept comment "sonos" } chain ssh { ip protocol tcp \ @@ -62,25 +71,27 @@ in { } chain steam { # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB - ip protocol . th sport . th dport vmap \ - { udp . >= 0 . 27000-27100 : \ - comment "steam: client: game traffic" \ - , udp . 27031-27036 . >= 0 : \ - comment "steam: client: remote play" \ - , tcp . 27036 . >= 0 : \ - comment "steam: client: remote play" \ - , udp . >= 0 . 4380 : \ - comment "steam: client" \ - , tcp . 27015 . >= 0 : \ - comment "steam: servers: SRCDS Rcon port" \ - , udp . 27015 . >= 0 : \ - comment "steam: servers: gameplay traffic" \ - , udp . >= 0 . { 3478 \ - , 4379 \ - , 4380 \ - , 27014-27030 } : \ - comment "steam: p2p, voice chat" } - accept + ip protocol { udp, tcp } \ + th dport 27015-27050 \ + accept comment "steam: login, download" + ip protocol udp \ + udp dport 27000-27100 \ + accept comment "steam: client: game traffic" + ip protocol . th sport \ + { udp . 27031-27036, tcp . 27036 } \ + accept comment "steam: client: remote play" + ip protocol udp \ + udp dport 4380 \ + accept comment "steam: client" + ip protocol tcp \ + tcp sport 27015 \ + accept comment "steam: servers: SRCDS Rcon port" + ip protocol udp \ + udp sport 27015 \ + accept comment "steam: servers: gameplay traffic" + ip protocol udp \ + udp dport { 3478, 4379, 4380, 27014-27030 } \ + accept comment "steam: p2p, voice chat" } chain syncthing { # https://docs.syncthing.net/users/firewall.html @@ -94,6 +105,15 @@ in { accept comment "syncthing: discovery broadcasts" } + chain in_wan { + jump dns + jump dhcp + jump ssh + } + chain in_iot { + jump dns + jump dhcp + } chain inbound { type filter hook input priority 0; policy drop; icmp type echo-request limit rate 5/second accept @@ -101,25 +121,32 @@ in { meta iifname vmap \ { lo : accept \ , ${lan.interface} : drop \ - , ${wan.interface} : jump dns jump dhcp jump ssh \ - , ${iot.interface} : jump dns jump dhcp } + , ${wan.interface} : goto in_wan \ + , ${iot.interface} : goto in_iot } } + chain wan_wan { + jump kdeconnect + jump syncthing + } + chain iot_wan { + jump sonos_app + } chain forward { type filter hook forward priority 0; policy drop; jump conntrack meta oifname ${lan.interface} accept meta iifname ${wan.interface} meta oifname ${wan.interface} \ - jump kdeconnect jump syncthing + goto wan_wan meta iifname ${iot.interface} meta oifname ${wan.interface} \ - jump sonos_app + goto iot_wan } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; - meta oifname ${lan.interface} snat to ${lan.machines.self.address} + meta oifname ${lan.interface} snat to ${lan.machines.self.address} } } @@ -134,6 +161,6 @@ in { ''; }; - firewall.enable = false; + firewall.enable = lib.mkForce false; }; } |