render nftables's ruleset

This does the same as the last commit did for the nftnat module, but for
the more general nftables module. Note the weird whatspace again.
This commit is contained in:
stuebinm 2024-02-18 13:39:54 +01:00
parent 0f678c5e80
commit 62917423e3
4 changed files with 52 additions and 6 deletions

View file

@ -4,7 +4,6 @@
imports = [
../modules
./users.nix
modules.network.nftables
];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;

View file

@ -54,7 +54,6 @@
system = "x86_64-linux";
modules = [
config
nix-hexchen.nixosModules.network.nftables
{
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
imports = [ modules.nopersist profiles.container];

View file

@ -5,7 +5,6 @@
../common
./hardware.nix
modules.encboot
modules.network.nftables
modules.nopersist
./nftables.nix
./nextcloud.nix

View file

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.enable = false;
networking.nat.enable = false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
@ -13,7 +14,54 @@
networking.nftables = {
enable = true;
extraConfig = ''
ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter
policy drop
icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
icmp type echo-request accept
ct state invalid drop
ct state established,related accept
iifname { lo } accept
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
udp dport { 60000-61000, 64738 } accept
# DHCPv6
ip6 daddr fe80::/64 udp dport 546 accept
counter
}
chain output {
type filter hook output priority filter
policy accept
counter
}
chain forward {
type filter hook forward priority filter
policy accept
counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
@ -26,6 +74,7 @@ iifname ve-* oifname enp35s0 masquerade
}
}
'';
};
}