hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity
haccfiles/parsons/nftables.nix
stuebinm f389de9c55 nftables: use networking.firewall.allowed{TCP,UDP}Port{s,Ranges} 
This is a no-op as far as actual config is concerned, but allows using
the usual networking options again, which before this commit were just
old unused code lying around.

There are still many other networking options which we set that
currently do nothing (e.g. the network bridge to lxc).
2024-04-06 14:55:48 +02:00

87 lines
2 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
cfg = config.networking.firewall;
mkPorts = ports: ranges:
lib.strings.concatStringsSep ", "
(map ({from, to}: "${toString from}-${toString to}") ranges
++
map toString ports);
in
{
networking.firewall.enable = false;
networking.nat.enable = false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
};
};
networking.nftables = {
enable = true;
ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter
policy drop
icmpv6 type {
echo-request,
echo-reply,
mld-listener-query,
mld-listener-report,
mld-listener-done,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
packet-too-big
} accept
icmp type echo-request accept
ct state invalid drop
ct state established,related accept
iifname { lo } accept
tcp dport { ${mkPorts cfg.allowedTCPPorts cfg.allowedTCPPortRanges} } accept
udp dport { ${mkPorts cfg.allowedUDPPorts cfg.allowedUDPPortRanges} } accept
# DHCPv6
ip6 daddr fe80::/64 udp dport 546 accept
counter
}
chain output {
type filter hook output priority filter
policy accept
counter
}
chain forward {
type filter hook forward priority filter
policy accept
counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
}
chain postrouting {
type nat hook postrouting priority 100
iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
}
}
'';
};
}
Reference in a new issue View git blame Copy permalink