render nftables's ruleset

This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again.
2024-02-18 13:39:54 +01:00 · 2024-02-18 13:39:54 +01:00 · 62917423e3
parent 0f678c5e80
commit 62917423e3
4 changed files with 52 additions and 6 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -4,7 +4,6 @@
  imports = [
    ../modules
    ./users.nix
-    modules.network.nftables
  ];

  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
--- a/flake.nix
+++ b/flake.nix
@ -54,7 +54,6 @@
          system = "x86_64-linux";
          modules = [
            config
-            nix-hexchen.nixosModules.network.nftables
            {
              nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
              imports = [ modules.nopersist profiles.container];
--- a/parsons/configuration.nix
+++ b/parsons/configuration.nix
@ -5,7 +5,6 @@
    ../common
    ./hardware.nix
    modules.encboot
-    modules.network.nftables
    modules.nopersist
    ./nftables.nix
    ./nextcloud.nix
--- a/parsons/nftables.nix
+++ b/parsons/nftables.nix
@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:

 {
+  networking.firewall.enable = false;
  networking.nat.enable = false;
    boot = {
      kernelModules = [ "nf_nat_ftp" ];
@ -13,7 +14,54 @@
    networking.nftables = {
      enable = true;

-      extraConfig = ''
+      ruleset = ''
+table inet filter {
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+    icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
+    icmp type echo-request accept
+
+    ct state invalid drop
+    ct state established,related accept
+
+    iifname { lo } accept
+
+    tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
+
+    udp dport { 60000-61000, 64738 } accept
+
+
+    
+
+    # DHCPv6
+    ip6 daddr fe80::/64 udp dport 546 accept
+
+    
+
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    
+
+    counter
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy accept
+
+    
+
+    
+
+    counter
+  }
+}
+
 table ip nat {
  chain prerouting {
    type nat hook prerouting priority -100
@ -26,6 +74,7 @@ iifname ve-* oifname enp35s0 masquerade
    
  }
 }
-      '';
-    };
+
+    '';
+  };
 }