From 25494ff6c1d9efbc04549a51186bc4fb15c63b30 Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Thu, 13 Apr 2023 11:50:37 +0200
Subject: networking: add firewall

---
 config/networking/nat.nix               | 21 ---------
 config/networking/services/firewall.nix | 75 +++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 21 deletions(-)
 delete mode 100644 config/networking/nat.nix
 create mode 100644 config/networking/services/firewall.nix

(limited to 'config/networking')

diff --git a/config/networking/nat.nix b/config/networking/nat.nix
deleted file mode 100644
index 5bc0f79..0000000
--- a/config/networking/nat.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, ... }:
-
-let cfg = config.personal.networking;
-in {
-  boot.kernel.sysctl = {
-    "net.ipv4.conf.all.forwarding" = true;
-  };
-
-  networking = {
-    nat = {
-      enable = true;
-      externalInterface = cfg.interfaces.eth;
-      internalInterfaces = [
-        cfg.interfaces.wlp2ghz
-        cfg.interfaces.wlp5ghz
-      ];
-    };
-
-    firewall.enable = false;
-  };
-}
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix
new file mode 100644
index 0000000..767e122
--- /dev/null
+++ b/config/networking/services/firewall.nix
@@ -0,0 +1,75 @@
+{ config, ... }:
+
+let cfg = config.personal.networking;
+    ifaces = cfg.interfaces;
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+  };
+
+  networking = {
+    nftables = {
+      enable = true;
+      ruleset = ''
+      table ip global {
+        chain inbound_public {
+          icmp type echo-request limit rate 5/second accept
+        }
+        chain inbound_private {
+          icmp type echo-request limit rate 5/second accept
+          ip protocol . th dport { tcp . 22 \
+                                 , udp . 53 \
+                                 , tcp . 53 \
+                                 , udp . 67 } accept
+        }
+        chain inbound_iot {
+          icmp type echo-request limit rate 5/second accept
+          ip protocol . th dport { udp . 53 \
+                                 , tcp . 53 \
+                                 , udp . 67 } accept
+        }
+        chain inbound {
+          type filter hook input priority 0; policy drop;
+          icmp type echo-request limit rate 5/second accept
+          ct state vmap { { established \
+                          , related     } : accept \
+                        , invalid         : drop   }
+          meta iifname vmap { lo                : accept               \
+                            , ${ifaces.eth}     : jump inbound_public  \
+                            , ${ifaces.wlp5ghz} : jump inbound_private \
+                            , ${ifaces.wlp2ghz} : jump inbound_iot     }
+        }
+
+        chain forward {
+          type filter hook input priority 0; policy drop;
+          ct state vmap { { established \
+                          , related     } : accept \
+                          , invalid       : drop   }
+          meta oifname ${ifaces.eth} accept
+          meta iifname ${ifaces.wlp5ghz} accept
+          meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept
+        }
+      }
+
+      table ip nat {
+        chain postrouting {
+          type nat hook postrouting priority 100; policy accept;
+          meta oifname ${ifaces.eth} masquerade
+        }
+      }
+
+      table ip6 global6 {
+	      chain input {
+          type filter hook input priority 0; policy drop;
+        }
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+        }
+      } 
+      '';
+    };
+
+    firewall.enable = false;
+  };
+}
+ 
-- 
cgit v1.2.3