wip firewall for router

2023-11-02 10:01:58 -05:00 · 2023-11-02 10:01:58 -05:00 · c4d2982944
parent 30ae0e0969
commit c4d2982944
2 changed files with 111 additions and 66 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 *.log
 result
 *.qcow2
--- a/nixos/router/default.nix
+++ b/nixos/router/default.nix
@ -53,7 +53,7 @@ in {
  services.fail2ban.enable = true;
  services.radvd = {
    enable = true;
-    # TODO: this config is just the default arch linux config I think and may
+    # NOTE: this config is just the default arch linux config I think and may
    # need tweaking? this is what I had on the arch linux router, though :shrug:
    config = ''
      interface lo
@ -100,23 +100,6 @@ in {
    '';
  };
  # TODO: lan0 and wan0 systemd.network.link ?
  networking.extraHosts = ''
    127.0.0.1 localhost
    127.0.1.1 router.h.lyte.dev router
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    192.168.0.9 git.lyte.dev
    192.168.0.9 video.lyte.dev
    192.168.0.9 files.lyte.dev
    192.168.0.9 bw.lyte.dev
    192.168.0.9 vpn.h.lyte.dev
  '';
  services.resolved = {
    enable = true;
    extraConfig = ''
@ -125,54 +108,6 @@ in {
    '';
  };
  networking.firewall = {
    # TODO: port router firewall config
    enable = true;
    package = pkgs.nftables;
    allowPing = true;
    allowedTCPPorts = [22];
    allowedUDPPorts = [];
  };
  networking.dhcpcd = {
    enable = true;
    extraConfig = ''
      duid
      # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
      # issues caused by guests with oneplus devices
      noarp
      persistent
      vendorclassid
      option domain_name_servers, domain_name, domain_search
      option classless_static_routes
      option interface_mtu
      option host_name
      #option ntp_servers
      require dhcp_server_identifier
      slaac private
      noipv4ll
      noipv6rs
      static domain_name_servers=${ip}
      interface ${wan_if}
      	gateway
      	ipv6rs
      	iaid 1
      	# option rapid_commit
      	# ia_na 1
      	ia_pd 1 ${lan_if}
      interface ${lan_if}
      	static ip_address=${cidr}
      	static routers=${ip}
      	static domain_name_servers=${ip}
    '';
  };
  services.dnsmasq = {
    enable = true;
    # TODO: port to settings
@ -232,5 +167,114 @@ in {
    '';
  };
  networking.extraHosts = ''
    127.0.0.1 localhost
    127.0.1.1 router.h.lyte.dev router
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    192.168.0.9 git.lyte.dev
    192.168.0.9 video.lyte.dev
    192.168.0.9 files.lyte.dev
    192.168.0.9 bw.lyte.dev
    192.168.0.9 vpn.h.lyte.dev
  '';
  networking.nftables = {
    enable = true;
    flushRuleset = true;
  };
  networking.firewall = {
    # TODO: allow users to ssh to git.lyte.dev
    # TODO: allow remote backuppers to ssh to beefcake
    # TODO: allow DNS internally
    # TODO: allow 67 for DHCP
    # TODO: allow 2201 for router ssh access?
    # TODO: allow 25565 to bald for minecraft
    # TODO: allow all icmp stuff and dhcp stuff (including dhcpv6-client)
    # filterForward = true;
    extraInputRules = ''
    '';
    extraForwardRules = ''
    '';
    enable = true;
    package = pkgs.nftables;
    allowPing = true;
    allowedTCPPorts = [22];
    allowedUDPPorts = [];
    # allowedTCPPortRanges = [{from = 1; to = 10;}];
    # allowedUDPPortRanges = [{from = 1; to = 10;}];
  };
  networking.dhcpcd = {
    enable = true;
    extraConfig = ''
      duid
      # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
      # issues caused by guests with oneplus devices
      noarp
      persistent
      vendorclassid
      option domain_name_servers, domain_name, domain_search
      option classless_static_routes
      option interface_mtu
      option host_name
      #option ntp_servers
      require dhcp_server_identifier
      slaac private
      noipv4ll
      noipv6rs
      static domain_name_servers=${ip}
      interface ${wan_if}
      	gateway
      	ipv6rs
      	iaid 1
      	# option rapid_commit
      	# ia_na 1
      	ia_pd 1 ${lan_if}
      interface ${lan_if}
      	static ip_address=${cidr}
      	static routers=${ip}
      	static domain_name_servers=${ip}
    '';
  };
  systemd.network = {
    enable = true;
    links = {
      "${wan_if}" = {
        enable = true;
        matchConfig = {
          MACAddress = "00:01:2e:82:73:59";
        };
        linkConfig = {
          Name = wan_if;
        };
      };
      "${lan_if}" = {
        enable = true;
        matchConfig = {
          MACAddress = "00:01:2e:82:73:5a";
        };
        linkConfig = {
          Name = lan_if;
        };
      };
    };
  };
  system.stateVersion = "23.11";
 }