From c4d29829449ff0d2d00b91283d1b99dbaeed0691 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Thu, 2 Nov 2023 10:01:58 -0500 Subject: [PATCH] wip firewall for router --- .gitignore | 1 + nixos/router/default.nix | 176 ++++++++++++++++++++++++--------------- 2 files changed, 111 insertions(+), 66 deletions(-) diff --git a/.gitignore b/.gitignore index 87a3018..7b82853 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ +*.log result *.qcow2 diff --git a/nixos/router/default.nix b/nixos/router/default.nix index 8ae6afb..794d0c3 100644 --- a/nixos/router/default.nix +++ b/nixos/router/default.nix @@ -53,7 +53,7 @@ in { services.fail2ban.enable = true; services.radvd = { enable = true; - # TODO: this config is just the default arch linux config I think and may + # NOTE: this config is just the default arch linux config I think and may # need tweaking? this is what I had on the arch linux router, though :shrug: config = '' interface lo @@ -100,23 +100,6 @@ in { ''; }; - # TODO: lan0 and wan0 systemd.network.link ? - - networking.extraHosts = '' - 127.0.0.1 localhost - 127.0.1.1 router.h.lyte.dev router - - ::1 localhost ip6-localhost ip6-loopback - ff02::1 ip6-allnodes - ff02::2 ip6-allrouters - - 192.168.0.9 git.lyte.dev - 192.168.0.9 video.lyte.dev - 192.168.0.9 files.lyte.dev - 192.168.0.9 bw.lyte.dev - 192.168.0.9 vpn.h.lyte.dev - ''; - services.resolved = { enable = true; extraConfig = '' @@ -125,54 +108,6 @@ in { ''; }; - networking.firewall = { - # TODO: port router firewall config - enable = true; - package = pkgs.nftables; - allowPing = true; - allowedTCPPorts = [22]; - allowedUDPPorts = []; - }; - - networking.dhcpcd = { - enable = true; - extraConfig = '' - duid - - # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 - # issues caused by guests with oneplus devices - noarp - persistent - vendorclassid - - option domain_name_servers, domain_name, domain_search - option classless_static_routes - option interface_mtu - option host_name - #option ntp_servers - - require dhcp_server_identifier - slaac private - noipv4ll - noipv6rs - - static domain_name_servers=${ip} - - interface ${wan_if} - gateway - ipv6rs - iaid 1 - # option rapid_commit - # ia_na 1 - ia_pd 1 ${lan_if} - - interface ${lan_if} - static ip_address=${cidr} - static routers=${ip} - static domain_name_servers=${ip} - ''; - }; - services.dnsmasq = { enable = true; # TODO: port to settings @@ -232,5 +167,114 @@ in { ''; }; + networking.extraHosts = '' + 127.0.0.1 localhost + 127.0.1.1 router.h.lyte.dev router + + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + + 192.168.0.9 git.lyte.dev + 192.168.0.9 video.lyte.dev + 192.168.0.9 files.lyte.dev + 192.168.0.9 bw.lyte.dev + 192.168.0.9 vpn.h.lyte.dev + ''; + + networking.nftables = { + enable = true; + flushRuleset = true; + }; + + networking.firewall = { + # TODO: allow users to ssh to git.lyte.dev + # TODO: allow remote backuppers to ssh to beefcake + # TODO: allow DNS internally + # TODO: allow 67 for DHCP + # TODO: allow 2201 for router ssh access? + # TODO: allow 25565 to bald for minecraft + # TODO: allow all icmp stuff and dhcp stuff (including dhcpv6-client) + + # filterForward = true; + + extraInputRules = '' + ''; + extraForwardRules = '' + ''; + + enable = true; + + package = pkgs.nftables; + allowPing = true; + allowedTCPPorts = [22]; + allowedUDPPorts = []; + # allowedTCPPortRanges = [{from = 1; to = 10;}]; + # allowedUDPPortRanges = [{from = 1; to = 10;}]; + }; + + networking.dhcpcd = { + enable = true; + extraConfig = '' + duid + + # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 + # issues caused by guests with oneplus devices + noarp + persistent + vendorclassid + + option domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + option host_name + #option ntp_servers + + require dhcp_server_identifier + slaac private + noipv4ll + noipv6rs + + static domain_name_servers=${ip} + + interface ${wan_if} + gateway + ipv6rs + iaid 1 + # option rapid_commit + # ia_na 1 + ia_pd 1 ${lan_if} + + interface ${lan_if} + static ip_address=${cidr} + static routers=${ip} + static domain_name_servers=${ip} + ''; + }; + + systemd.network = { + enable = true; + links = { + "${wan_if}" = { + enable = true; + matchConfig = { + MACAddress = "00:01:2e:82:73:59"; + }; + linkConfig = { + Name = wan_if; + }; + }; + "${lan_if}" = { + enable = true; + matchConfig = { + MACAddress = "00:01:2e:82:73:5a"; + }; + linkConfig = { + Name = lan_if; + }; + }; + }; + }; + system.stateVersion = "23.11"; }