From dbb6444b03bacb9479560e8cd87ebe2776d348b3 Mon Sep 17 00:00:00 2001 From: "quentin@aristote.fr" Date: Thu, 13 Apr 2023 14:20:22 +0200 Subject: networking: restructure personal.networking modules --- config/networking/services/firewall.nix | 111 ++++++++++++++++---------------- 1 file changed, 54 insertions(+), 57 deletions(-) (limited to 'config/networking/services/firewall.nix') diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix index 767e122..1d8a297 100644 --- a/config/networking/services/firewall.nix +++ b/config/networking/services/firewall.nix @@ -1,75 +1,72 @@ { config, ... }: -let cfg = config.personal.networking; - ifaces = cfg.interfaces; +let nets = config.personal.networking.networks; in { - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - }; + boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; networking = { nftables = { enable = true; - ruleset = '' - table ip global { - chain inbound_public { - icmp type echo-request limit rate 5/second accept - } - chain inbound_private { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { tcp . 22 \ - , udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept - } - chain inbound_iot { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept - } - chain inbound { - type filter hook input priority 0; policy drop; - icmp type echo-request limit rate 5/second accept - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta iifname vmap { lo : accept \ - , ${ifaces.eth} : jump inbound_public \ - , ${ifaces.wlp5ghz} : jump inbound_private \ - , ${ifaces.wlp2ghz} : jump inbound_iot } - } + ruleset = with nets; '' + table ip global { + chain inbound_lan { + icmp type echo-request limit rate 5/second accept + } + chain inbound_wan { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { tcp . 22 \ + , udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound_iot { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound { + type filter hook input priority 0; policy drop; + icmp type echo-request limit rate 5/second accept + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta iifname vmap { lo : accept \ + , ${lan.interface} : jump inbound_lan \ + , ${wan.interface} : jump inbound_wan \ + , ${iot.interface} : jump inbound_iot } + } - chain forward { - type filter hook input priority 0; policy drop; - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta oifname ${ifaces.eth} accept - meta iifname ${ifaces.wlp5ghz} accept - meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept + chain forward { + type filter hook input priority 0; policy drop; + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta oifname ${lan.interface} accept + meta iifname ${wan.interface} accept + meta iifname ${iot.interface} meta oifname ${iot.interface} accept + } } - } - table ip nat { - chain postrouting { - type nat hook postrouting priority 100; policy accept; - meta oifname ${ifaces.eth} masquerade + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + meta oifname ${lan.interface} masquerade + } } - } - table ip6 global6 { - chain input { - type filter hook input priority 0; policy drop; - } - chain forward { - type filter hook forward priority 0; policy drop; - } - } + table ip6 global6 { + chain input { + type filter hook input priority 0; policy drop; + } + chain forward { + type filter hook forward priority 0; policy drop; + } + } ''; }; firewall.enable = false; }; } - + -- cgit v1.2.3