From 62917423e315551b8b7ac76c4009275219df6faa Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sun, 18 Feb 2024 13:39:54 +0100 Subject: [PATCH] render nftables's ruleset This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again. --- common/default.nix | 1 - flake.nix | 1 - parsons/configuration.nix | 1 - parsons/nftables.nix | 55 ++++++++++++++++++++++++++++++++++++--- 4 files changed, 52 insertions(+), 6 deletions(-) diff --git a/common/default.nix b/common/default.nix index ece8f62..4feb47b 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,7 +4,6 @@ imports = [ ../modules ./users.nix - modules.network.nftables ]; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages; diff --git a/flake.nix b/flake.nix index 57f755e..8b7f985 100644 --- a/flake.nix +++ b/flake.nix @@ -54,7 +54,6 @@ system = "x86_64-linux"; modules = [ config - nix-hexchen.nixosModules.network.nftables { nixpkgs.pkgs = pkgs.lib.mkForce pkgs; imports = [ modules.nopersist profiles.container]; diff --git a/parsons/configuration.nix b/parsons/configuration.nix index 6cd72ed..c6fe455 100644 --- a/parsons/configuration.nix +++ b/parsons/configuration.nix @@ -5,7 +5,6 @@ ../common ./hardware.nix modules.encboot - modules.network.nftables modules.nopersist ./nftables.nix ./nextcloud.nix diff --git a/parsons/nftables.nix b/parsons/nftables.nix index c2cd19d..312496f 100644 --- a/parsons/nftables.nix +++ b/parsons/nftables.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { + networking.firewall.enable = false; networking.nat.enable = false; boot = { kernelModules = [ "nf_nat_ftp" ]; @@ -13,7 +14,54 @@ networking.nftables = { enable = true; - extraConfig = '' + ruleset = '' +table inet filter { + chain input { + type filter hook input priority filter + policy drop + + icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept + icmp type echo-request accept + + ct state invalid drop + ct state established,related accept + + iifname { lo } accept + + tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept + + udp dport { 60000-61000, 64738 } accept + + + + + # DHCPv6 + ip6 daddr fe80::/64 udp dport 546 accept + + + + counter + } + chain output { + type filter hook output priority filter + policy accept + + + + counter + } + chain forward { + type filter hook forward priority filter + policy accept + + + + + + counter + } +} + table ip nat { chain prerouting { type nat hook prerouting priority -100 @@ -26,6 +74,7 @@ iifname ve-* oifname enp35s0 masquerade } } - ''; - }; + + ''; + }; }