1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
{ config, ... }:
let nets = config.personal.networking.networks;
in {
boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; };
networking = {
nftables = {
enable = true;
ruleset = with nets; ''
table ip global {
chain inbound_lan {
icmp type echo-request limit rate 5/second accept
}
chain inbound_wan {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport { tcp . 22 \
, udp . 53 \
, tcp . 53 \
, udp . 67 } accept
}
chain inbound_iot {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport { udp . 53 \
, tcp . 53 \
, udp . 67 } accept
}
chain inbound {
type filter hook input priority 0; policy drop;
icmp type echo-request limit rate 5/second accept
ct state vmap { { established \
, related } : accept \
, invalid : drop }
meta iifname vmap { lo : accept \
, ${lan.interface} : jump inbound_lan \
, ${wan.interface} : jump inbound_wan \
, ${iot.interface} : jump inbound_iot }
}
chain forward {
type filter hook input priority 0; policy drop;
ct state vmap { { established \
, related } : accept \
, invalid : drop }
meta oifname ${lan.interface} accept
meta iifname ${wan.interface} accept
meta iifname ${iot.interface} meta oifname ${iot.interface} accept
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
meta oifname ${lan.interface} masquerade
}
}
table ip6 global6 {
chain input {
type filter hook input priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
'';
};
firewall.enable = false;
};
}
|
