Work on firewall cleanup
This commit is contained in:
parent
a2c6a0fe93
commit
eeda716b9b
4 changed files with 134 additions and 111 deletions
60
flake.lock
60
flake.lock
|
@ -21,27 +21,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"dependencyDagOfSubmodule": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nnf",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1656615370,
|
||||
"narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
|
||||
"owner": "thelegy",
|
||||
"repo": "nix-dependencyDagOfSubmodule",
|
||||
"rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "thelegy",
|
||||
"repo": "nix-dependencyDagOfSubmodule",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -416,22 +395,6 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1692638711,
|
||||
"narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1716769173,
|
||||
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
|
||||
|
@ -447,26 +410,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nnf": {
|
||||
"inputs": {
|
||||
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720615408,
|
||||
"narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=",
|
||||
"owner": "thelegy",
|
||||
"repo": "nixos-nftables-firewall",
|
||||
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "thelegy",
|
||||
"repo": "nixos-nftables-firewall",
|
||||
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -499,7 +442,6 @@
|
|||
"hyprland": "hyprland",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"nnf": "nnf",
|
||||
"pre-commit": "pre-commit",
|
||||
"slippi": "slippi",
|
||||
"sops-nix": "sops-nix"
|
||||
|
@ -532,7 +474,7 @@
|
|||
},
|
||||
"slippi": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_5"
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720625270,
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
hyprland.url = "github:hyprwm/Hyprland";
|
||||
slippi.url = "github:lytedev/slippi-nix";
|
||||
|
||||
nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
|
||||
# nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
|
||||
};
|
||||
|
||||
nixConfig = {
|
||||
|
@ -54,7 +54,7 @@
|
|||
home-manager,
|
||||
helix,
|
||||
hardware,
|
||||
nnf,
|
||||
# nnf,
|
||||
# hyprland,
|
||||
slippi,
|
||||
...
|
||||
|
@ -347,7 +347,8 @@
|
|||
modules = with nixosModules; [
|
||||
outputs.diskoConfigurations.unencrypted
|
||||
common
|
||||
nnf.nixosModules.default
|
||||
linux
|
||||
# nnf.nixosModules.default
|
||||
./nixos/router.nix
|
||||
];
|
||||
};
|
||||
|
|
|
@ -173,6 +173,14 @@
|
|||
};
|
||||
};
|
||||
|
||||
linux = {pkgs, ...}: {
|
||||
home-manager.users.daniel = {
|
||||
imports = with homeManagerModules; [
|
||||
linux
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
tailscale = {lib, ...}: {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
|
|
170
nixos/router.nix
170
nixos/router.nix
|
@ -19,11 +19,11 @@
|
|||
};
|
||||
interfaces = {
|
||||
wan = {
|
||||
name = "wan0";
|
||||
name = "wan";
|
||||
mac = "00:01:2e:82:73:59";
|
||||
};
|
||||
lan = {
|
||||
name = "lan0";
|
||||
name = "lan";
|
||||
mac = "00:01:2e:82:73:5a";
|
||||
};
|
||||
};
|
||||
|
@ -105,56 +105,120 @@ in {
|
|||
ff02::2 ip6-allrouters
|
||||
'';
|
||||
|
||||
nftables.firewall = let
|
||||
me = config.networking.nftables.firewall.localZoneName;
|
||||
nftables = let
|
||||
inf = {
|
||||
lan = interfaces.lan.name;
|
||||
wan = interfaces.wan.name;
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
snippets.nnf-common.enable = true;
|
||||
ruleset = with inf; ''
|
||||
table inet filter {
|
||||
set LANv4 {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
|
||||
}
|
||||
set LANv6 {
|
||||
type ipv6_addr
|
||||
flags interval
|
||||
elements = { fd00::/8, fe80::/10 }
|
||||
}
|
||||
# maybe tailnet?
|
||||
|
||||
zones = {
|
||||
${interfaces.wan.name} = {
|
||||
interfaces = [interfaces.wan.name];
|
||||
};
|
||||
${interfaces.lan.name} = {
|
||||
parent = interfaces.wan.name;
|
||||
ipv4Addresses = [cidr];
|
||||
};
|
||||
# banned = {
|
||||
# ingressExpression = [
|
||||
# "ip saddr @banlist"
|
||||
# "ip6 saddr @banlist6"
|
||||
# ];
|
||||
# egressExpression = [
|
||||
# "ip daddr @banlist"
|
||||
# "ip6 daddr @banlist6"
|
||||
# ];
|
||||
# };
|
||||
};
|
||||
chain my_input_lan {
|
||||
udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
|
||||
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
|
||||
}
|
||||
|
||||
rules = {
|
||||
dhcp = {
|
||||
from = "all";
|
||||
to = [hosts.beefcake.ip];
|
||||
allowedTCPPorts = [67];
|
||||
allowedUDPPorts = [67];
|
||||
};
|
||||
http = {
|
||||
from = "all";
|
||||
to = [hosts.beefcake.ip];
|
||||
allowedTCPPorts = [80 443];
|
||||
};
|
||||
router-ssh = {
|
||||
from = "all";
|
||||
to = [me];
|
||||
allowedTCPPorts = [2201];
|
||||
};
|
||||
server-ssh = {
|
||||
from = "all";
|
||||
to = [hosts.beefcake.ip];
|
||||
allowedTCPPorts = [22];
|
||||
};
|
||||
};
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
|
||||
iif lo accept comment "Accept any localhost traffic"
|
||||
ct state invalid drop comment "Drop invalid connections"
|
||||
ct state established,related accept comment "Accept traffic originated from us"
|
||||
|
||||
meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
|
||||
meta l4proto icmp accept comment "Accept ICMP"
|
||||
ip protocol igmp accept comment "Accept IGMP"
|
||||
|
||||
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
|
||||
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
|
||||
|
||||
ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
|
||||
ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
|
||||
|
||||
iifname "${lan}" accept comment "Allow local network to access the router"
|
||||
|
||||
iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan"
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
|
||||
iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN"
|
||||
}
|
||||
}
|
||||
|
||||
table ip nat {
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
oifname "${wan}" masquerade
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# nftables.firewall = let
|
||||
# me = config.networking.nftables.firewall.localZoneName;
|
||||
# in {
|
||||
# enable = true;
|
||||
# snippets.nnf-common.enable = true;
|
||||
|
||||
# zones = {
|
||||
# ${interfaces.wan.name} = {
|
||||
# interfaces = [interfaces.wan.name interfaces.lan.name];
|
||||
# };
|
||||
# ${interfaces.lan.name} = {
|
||||
# parent = interfaces.wan.name;
|
||||
# ipv4Addresses = [cidr];
|
||||
# };
|
||||
# # banned = {
|
||||
# # ingressExpression = [
|
||||
# # "ip saddr @banlist"
|
||||
# # "ip6 saddr @banlist6"
|
||||
# # ];
|
||||
# # egressExpression = [
|
||||
# # "ip daddr @banlist"
|
||||
# # "ip6 daddr @banlist6"
|
||||
# # ];
|
||||
# # };
|
||||
# };
|
||||
|
||||
# rules = {
|
||||
# dhcp = {
|
||||
# from = "all";
|
||||
# to = [hosts.beefcake.ip];
|
||||
# allowedTCPPorts = [67];
|
||||
# allowedUDPPorts = [67];
|
||||
# };
|
||||
# http = {
|
||||
# from = "all";
|
||||
# to = [me];
|
||||
# allowedTCPPorts = [80 443];
|
||||
# };
|
||||
# router-ssh = {
|
||||
# from = "all";
|
||||
# to = [me];
|
||||
# allowedTCPPorts = [2201];
|
||||
# };
|
||||
# server-ssh = {
|
||||
# from = "all";
|
||||
# to = [hosts.beefcake.ip];
|
||||
# allowedTCPPorts = [22];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
|
@ -218,15 +282,23 @@ in {
|
|||
services.dnsmasq = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"];
|
||||
listen-address = "::,127.0.0.1,${ip}";
|
||||
port = 53;
|
||||
|
||||
# dhcp-authoritative = true;
|
||||
# dnssec = true;
|
||||
# enable-ra = true;
|
||||
|
||||
server = ["::1" "127.0.0.1" "1.1.1.1" "9.9.9.9" "8.8.8.8"];
|
||||
|
||||
domain-needed = true;
|
||||
bogus-priv = true;
|
||||
no-resolv = true;
|
||||
|
||||
cache-size = 1000;
|
||||
cache-size = "10000";
|
||||
|
||||
dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"];
|
||||
except-interface = interfaces.wan.name;
|
||||
interface = interfaces.lan.name;
|
||||
dhcp-host =
|
||||
[
|
||||
|
|
Loading…
Reference in a new issue