render nftables's ruleset
This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again.
This commit is contained in:
parent
0f678c5e80
commit
62917423e3
4 changed files with 52 additions and 6 deletions
|
@ -4,7 +4,6 @@
|
||||||
imports = [
|
imports = [
|
||||||
../modules
|
../modules
|
||||||
./users.nix
|
./users.nix
|
||||||
modules.network.nftables
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
||||||
|
|
|
@ -54,7 +54,6 @@
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
config
|
config
|
||||||
nix-hexchen.nixosModules.network.nftables
|
|
||||||
{
|
{
|
||||||
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
|
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
|
||||||
imports = [ modules.nopersist profiles.container];
|
imports = [ modules.nopersist profiles.container];
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
../common
|
../common
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
modules.encboot
|
modules.encboot
|
||||||
modules.network.nftables
|
|
||||||
modules.nopersist
|
modules.nopersist
|
||||||
./nftables.nix
|
./nftables.nix
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
networking.firewall.enable = false;
|
||||||
networking.nat.enable = false;
|
networking.nat.enable = false;
|
||||||
boot = {
|
boot = {
|
||||||
kernelModules = [ "nf_nat_ftp" ];
|
kernelModules = [ "nf_nat_ftp" ];
|
||||||
|
@ -13,7 +14,54 @@
|
||||||
networking.nftables = {
|
networking.nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
extraConfig = ''
|
ruleset = ''
|
||||||
|
table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority filter
|
||||||
|
policy drop
|
||||||
|
|
||||||
|
icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
|
||||||
|
icmp type echo-request accept
|
||||||
|
|
||||||
|
ct state invalid drop
|
||||||
|
ct state established,related accept
|
||||||
|
|
||||||
|
iifname { lo } accept
|
||||||
|
|
||||||
|
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
|
||||||
|
|
||||||
|
udp dport { 60000-61000, 64738 } accept
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# DHCPv6
|
||||||
|
ip6 daddr fe80::/64 udp dport 546 accept
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
counter
|
||||||
|
}
|
||||||
|
chain output {
|
||||||
|
type filter hook output priority filter
|
||||||
|
policy accept
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
counter
|
||||||
|
}
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority filter
|
||||||
|
policy accept
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
counter
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority -100
|
type nat hook prerouting priority -100
|
||||||
|
@ -26,6 +74,7 @@ iifname ve-* oifname enp35s0 masquerade
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue