peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

architect: port firewall to networking attrset

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-05-12 14:28:58 +02:00
parent 1e19a08665
commit e5aab58be7
1 changed files with 58 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
hosts/architect/firewall.nix
View File

@ -1,13 +1,38 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix;
with lib;
let let
openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
deviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
gdevices = [
(deviceAddress "tailscale" "architect")
(deviceAddress "tailscale" "dodino")
(deviceAddress "tailscale" "manduria")
(deviceAddress "tailscale" "kmerr")
(deviceAddress "tailscale" "chuck")
];
wireguardToWAN = [
(deviceAddress "wireguard" "shield")
(deviceAddress "wireguard" "parina")
(deviceAddress "wireguard" "parina-ipad")
(deviceAddress "wireguard" "germano")
];
frameccaDevices = [
(deviceAddress "wireguard" "framecca")
(deviceAddress "wireguard" "framecca_one")
(deviceAddress "wireguard" "framecca_two")
(deviceAddress "wireguard" "framecca_three")
(deviceAddress "wireguard" "framecca_four")
];
clientToClientWireguard = frameccaDevices;
in in
{ {
networking = { networking = {
@ -17,7 +42,7 @@ in
nftables = { nftables = {
enable = true; enable = true;
ruleset = '' ruleset = with config.architect.networks; ''
table ip raw { table ip raw {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority raw; policy accept; type filter hook prerouting priority raw; policy accept;
@ -43,11 +68,11 @@ in
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${ oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," wireguardToWAN
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade oifname ${lan.interface} ip saddr ${docker.net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
} }
} }
@ -57,13 +82,13 @@ in
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -116,17 +141,17 @@ in
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan.net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${openTCP}} accept iifname ${lan.interface} tcp dport {${openTCP}} accept
iifname ${wan-if} udp dport {${openUDP}} accept iifname ${lan.interface} udp dport {${openUDP}} accept
iifname ${vpn-if} tcp dport {${openTCPVPN}} accept iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
iifname ${vpn-if} udp dport {${openUDPVPN}} accept iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${wireguard.interface} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept iifname ${docker.interface} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -135,17 +160,17 @@ in
ct state established,related accept ct state established,related accept
# client to client # client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
lib.concatStringsSep "," c2c-wg lib.concatStringsSep "," clientToClientWireguard
}} accept }} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${ oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," wireguardToWAN
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept oifname ${lan.interface} ip saddr ${docker.net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept oifname ${lan.interface} ip saddr ${tailscale.net} accept
jump filter_drop jump filter_drop
} }