render nftables's ruleset
This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again.removing-nix-hexchen
parent
0f678c5e80
commit
62917423e3
|
@ -4,7 +4,6 @@
|
|||
imports = [
|
||||
../modules
|
||||
./users.nix
|
||||
modules.network.nftables
|
||||
];
|
||||
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
||||
|
|
|
@ -54,7 +54,6 @@
|
|||
system = "x86_64-linux";
|
||||
modules = [
|
||||
config
|
||||
nix-hexchen.nixosModules.network.nftables
|
||||
{
|
||||
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
|
||||
imports = [ modules.nopersist profiles.container];
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
../common
|
||||
./hardware.nix
|
||||
modules.encboot
|
||||
modules.network.nftables
|
||||
modules.nopersist
|
||||
./nftables.nix
|
||||
./nextcloud.nix
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.firewall.enable = false;
|
||||
networking.nat.enable = false;
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
|
@ -13,7 +14,54 @@
|
|||
networking.nftables = {
|
||||
enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
ruleset = ''
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority filter
|
||||
policy drop
|
||||
|
||||
icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
|
||||
icmp type echo-request accept
|
||||
|
||||
ct state invalid drop
|
||||
ct state established,related accept
|
||||
|
||||
iifname { lo } accept
|
||||
|
||||
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
|
||||
|
||||
udp dport { 60000-61000, 64738 } accept
|
||||
|
||||
|
||||
|
||||
|
||||
# DHCPv6
|
||||
ip6 daddr fe80::/64 udp dport 546 accept
|
||||
|
||||
|
||||
|
||||
counter
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority filter
|
||||
policy accept
|
||||
|
||||
|
||||
|
||||
counter
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority filter
|
||||
policy accept
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
counter
|
||||
}
|
||||
}
|
||||
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority -100
|
||||
|
@ -26,6 +74,7 @@ iifname ve-* oifname enp35s0 masquerade
|
|||
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue