1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
{ config, ... }:
let cfg = config.personal.networking;
ifaces = cfg.interfaces;
in {
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
};
networking = {
nftables = {
enable = true;
ruleset = ''
table ip global {
chain inbound_public {
icmp type echo-request limit rate 5/second accept
}
chain inbound_private {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport { tcp . 22 \
, udp . 53 \
, tcp . 53 \
, udp . 67 } accept
}
chain inbound_iot {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport { udp . 53 \
, tcp . 53 \
, udp . 67 } accept
}
chain inbound {
type filter hook input priority 0; policy drop;
icmp type echo-request limit rate 5/second accept
ct state vmap { { established \
, related } : accept \
, invalid : drop }
meta iifname vmap { lo : accept \
, ${ifaces.eth} : jump inbound_public \
, ${ifaces.wlp5ghz} : jump inbound_private \
, ${ifaces.wlp2ghz} : jump inbound_iot }
}
chain forward {
type filter hook input priority 0; policy drop;
ct state vmap { { established \
, related } : accept \
, invalid : drop }
meta oifname ${ifaces.eth} accept
meta iifname ${ifaces.wlp5ghz} accept
meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
meta oifname ${ifaces.eth} masquerade
}
}
table ip6 global6 {
chain input {
type filter hook input priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
'';
};
firewall.enable = false;
};
}
|
