diff options
| author | Kenny Ballou <kballou@devnulllabs.io> | 2019-06-07 10:54:16 -0600 |
|---|---|---|
| committer | Kenny Ballou <kballou@devnulllabs.io> | 2019-06-07 10:54:16 -0600 |
| commit | e120694d1a0b355db7b9e84d47358991abcdcd19 (patch) | |
| tree | 1610eacbe488f934da4addd2a41450b390f6705a /services | |
| parent | 5f0ecc93e146906bcb7a71681eb39268c99e57f6 (diff) | |
| download | cfg.nix-e120694d1a0b355db7b9e84d47358991abcdcd19.tar.gz cfg.nix-e120694d1a0b355db7b9e84d47358991abcdcd19.tar.xz | |
services: configure netfilter firewall
Add an initial configuration for netflter.
Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>
Diffstat (limited to 'services')
| -rw-r--r-- | services/firewall.nix | 4 | ||||
| -rw-r--r-- | services/nftables-rules.nft | 86 |
2 files changed, 89 insertions, 1 deletions
diff --git a/services/firewall.nix b/services/firewall.nix index 81ec5d1..2c09d3f 100644 --- a/services/firewall.nix +++ b/services/firewall.nix @@ -1,5 +1,7 @@ { config, ... }: { # Firewall configuration - networking.firewall.enable = true; + networking.firewall.enable = false; + networking.nftables.enable = true; + networking.nftables.rulesetFile = ./nftables-rules.nft; } diff --git a/services/nftables-rules.nft b/services/nftables-rules.nft new file mode 100644 index 0000000..abb138f --- /dev/null +++ b/services/nftables-rules.nft @@ -0,0 +1,86 @@ +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + ct state invalid counter drop comment "drop invalid packets" + ct state established,related counter accept comment "accept related connections" + iif lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + ip protocol icmp counter accept + ip6 nexthdr ipv6-icmp counter accept + udp dport domain ip saddr 172.0.0.1/8 counter accept + tcp dport ssh counter accept + counter + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related accept + counter + } + + chain output { + type filter hook output priority 0; policy drop; + ct state established,related counter accept + udp dport domain counter accept + tcp dport http counter accept + tcp dport https counter accept + tcp dport ssh counter accept + tcp dport bootps counter accept + udp dport bootps counter accept + tcp dport ntp counter accept + udp dport ntp counter accept + tcp dport nntps counter accept + udp dport nntps counter accept + tcp dport submission counter accept + tcp dport imaps counter accept + tcp dport 2222 counter accept + tcp dport hkp counter accept + udp dport hkp counter accept + tcp dport 9100 counter accept + tcp dport git counter accept + udp dport git counter accept + tcp dport rsync counter accept + udp dport rsync counter accept + tcp dport 8000 counter accept + counter + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + counter + } + chain input { + type nat hook input priority 0; policy accept; + counter + } + chain output { + type nat hook output priority 0; policy accept; + counter + } + chain postrouting { + type nat hook postrouting priority 100; policy accept; + counter + } +} + +table ip6 nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + counter + } + chain input { + type nat hook input priority 0; policy accept; + counter + } + chain output { + type nat hook output priority 0; policy accept; + counter + } + chain postrouting { + type nat hook postrouting priority 100; policy accept; + counter + } +} |