1 files changed, 75 insertions, 0 deletions

diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix
new file mode 100644
index 0000000..767e122
--- /dev/null
+++ b/config/networking/services/firewall.nix
@@ -0,0 +1,75 @@
+{ config, ... }:
+
+let cfg = config.personal.networking;
+    ifaces = cfg.interfaces;
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+  };
+
+  networking = {
+    nftables = {
+      enable = true;
+      ruleset = ''
+      table ip global {
+        chain inbound_public {
+          icmp type echo-request limit rate 5/second accept
+        }
+        chain inbound_private {
+          icmp type echo-request limit rate 5/second accept
+          ip protocol . th dport { tcp . 22 \
+                                 , udp . 53 \
+                                 , tcp . 53 \
+                                 , udp . 67 } accept
+        }
+        chain inbound_iot {
+          icmp type echo-request limit rate 5/second accept
+          ip protocol . th dport { udp . 53 \
+                                 , tcp . 53 \
+                                 , udp . 67 } accept
+        }
+        chain inbound {
+          type filter hook input priority 0; policy drop;
+          icmp type echo-request limit rate 5/second accept
+          ct state vmap { { established \
+                          , related     } : accept \
+                        , invalid         : drop   }
+          meta iifname vmap { lo                : accept               \
+                            , ${ifaces.eth}     : jump inbound_public  \
+                            , ${ifaces.wlp5ghz} : jump inbound_private \
+                            , ${ifaces.wlp2ghz} : jump inbound_iot     }
+        }
+
+        chain forward {
+          type filter hook input priority 0; policy drop;
+          ct state vmap { { established \
+                          , related     } : accept \
+                          , invalid       : drop   }
+          meta oifname ${ifaces.eth} accept
+          meta iifname ${ifaces.wlp5ghz} accept
+          meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept
+        }
+      }
+
+      table ip nat {
+        chain postrouting {
+          type nat hook postrouting priority 100; policy accept;
+          meta oifname ${ifaces.eth} masquerade
+        }
+      }
+
+      table ip6 global6 {
+	      chain input {
+          type filter hook input priority 0; policy drop;
+        }
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+        }
+      } 
+      '';
+    };
+
+    firewall.enable = false;
+  };
+}
+