peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
laptopshit
nixos/hosts/architect/firewall.nix

205 lines
7.0 KiB
Nix
Raw Permalink Normal View History

formatting
2021-11-25 11:42:32 +00:00
{ config, lib, ... }:
moved common packages to common; nftables on giupi
2021-07-01 11:26:21 +01:00
maxi update giupi
2021-07-03 23:43:52 +01:00
with import ./network.nix;
reorganized services in files
2021-07-07 13:13:19 +01:00
maxi update giupi
2021-07-03 23:43:52 +01:00
let
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
formatting
2021-11-25 11:42:32 +00:00
22 # ssh
80 # http
443 # https
8448 # matrix
maxi update giupi
2021-07-03 23:43:52 +01:00
10022 # gitea
many updates, yasssss
2022-03-15 15:58:04 +00:00
18080 # monero
jacopo, mikey, andrew wg clients. transmission added
2021-11-05 19:16:08 +00:00
51413 # transmission
maxi update giupi
2021-07-03 23:43:52 +01:00
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
formatting
2021-11-25 11:42:32 +00:00
1194 # wireguard
jacopo, mikey, andrew wg clients. transmission added
2021-11-05 19:16:08 +00:00
51413 # transmission
maxi update giupi
2021-07-03 23:43:52 +01:00
];
Changed firewall ports
2021-12-18 21:02:52 +00:00
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
22
80
443
32400 # plex
];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
53 # dns
many updates, yasssss
2022-03-15 15:58:04 +00:00
1194 # vpn
Changed firewall ports
2021-12-18 21:02:52 +00:00
];
maxi update giupi
2021-07-03 23:43:52 +01:00
in {
moved common packages to common; nftables on giupi
2021-07-01 11:26:21 +01:00
networking = {
# needed to use nftables
firewall.enable = false;
nat.enable = false;
nftables = {
enable = true;
ruleset = ''
formatting
2021-11-25 11:42:32 +00:00
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK "
drop
}
chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP "
drop
}
chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP "
drop
}
chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP "
drop
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ct state established,related accept
iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
accept ping
2021-12-08 17:09:13 +00:00
ip saddr ${proxy-wg} accept comment "proxy > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
formatting
2021-11-25 11:42:32 +00:00
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
Changed firewall ports
2021-12-18 21:02:52 +00:00
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
accept ping
2021-12-08 17:09:13 +00:00
iifname ${vpn-if} icmp type echo-request accept
formatting
2021-11-25 11:42:32 +00:00
jump filter_drop
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
jump filter_drop
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
ct state established,related accept
accept comment "local > *"
jump filter_drop
}
chain filter_drop {
ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK "
drop
}
chain filter_drop_icmp {
log prefix "DROP-icmp "
drop
}
chain filter_drop_tcp {
log prefix "DROP-tcp "
drop
}
chain filter_drop_udp {
log prefix "DROP-udp "
drop
}
}
'';
moved common packages to common; nftables on giupi
2021-07-01 11:26:21 +01:00
};
};
}
Reference in New Issue Copy Permalink