From e120694d1a0b355db7b9e84d47358991abcdcd19 Mon Sep 17 00:00:00 2001
From: Kenny Ballou <kballou@devnulllabs.io>
Date: Fri, 7 Jun 2019 10:54:16 -0600
Subject: services: configure netfilter firewall

Add an initial configuration for netflter.

Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>
---
 services/firewall.nix       |  4 ++-
 services/nftables-rules.nft | 86 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 services/nftables-rules.nft

(limited to 'services')

diff --git a/services/firewall.nix b/services/firewall.nix
index 81ec5d1..2c09d3f 100644
--- a/services/firewall.nix
+++ b/services/firewall.nix
@@ -1,5 +1,7 @@
 { config, ... }:
 {
   # Firewall configuration
-  networking.firewall.enable = true;
+  networking.firewall.enable = false;
+  networking.nftables.enable = true;
+  networking.nftables.rulesetFile = ./nftables-rules.nft;
 }
diff --git a/services/nftables-rules.nft b/services/nftables-rules.nft
new file mode 100644
index 0000000..abb138f
--- /dev/null
+++ b/services/nftables-rules.nft
@@ -0,0 +1,86 @@
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid counter drop comment "drop invalid packets"
+        ct state established,related counter accept comment "accept related connections"
+        iif lo counter accept
+        iif != lo ip daddr 127.0.0.1/8 counter drop
+        iif != lo ip6 daddr ::1/128 counter drop
+        ip protocol icmp counter accept
+        ip6 nexthdr ipv6-icmp counter accept
+        udp dport domain ip saddr 172.0.0.1/8 counter accept
+        tcp dport ssh counter accept
+        counter
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state established,related accept
+        counter
+    }
+
+    chain output {
+        type filter hook output priority 0; policy drop;
+        ct state established,related counter accept
+        udp dport domain counter accept
+        tcp dport http counter accept
+        tcp dport https counter accept
+        tcp dport ssh counter accept
+        tcp dport bootps counter accept
+        udp dport bootps counter accept
+        tcp dport ntp counter accept
+        udp dport ntp counter accept
+        tcp dport nntps counter accept
+        udp dport nntps counter accept
+        tcp dport submission counter accept
+        tcp dport imaps counter accept
+        tcp dport 2222 counter accept
+        tcp dport hkp counter accept
+        udp dport hkp counter accept
+        tcp dport 9100 counter accept
+        tcp dport git counter accept
+        udp dport git counter accept
+        tcp dport rsync counter accept
+        udp dport rsync counter accept
+        tcp dport 8000 counter accept
+        counter
+    }
+}
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority 0; policy accept;
+        counter
+    }
+   chain input {
+        type nat hook input priority 0; policy accept;
+        counter
+    }
+   chain output {
+        type nat hook output priority 0; policy accept;
+        counter
+    }
+   chain postrouting {
+        type nat hook postrouting priority 100; policy accept;
+        counter
+    }
+}
+
+table ip6 nat {
+    chain prerouting {
+        type nat hook prerouting priority 0; policy accept;
+        counter
+    }
+   chain input {
+        type nat hook input priority 0; policy accept;
+        counter
+    }
+   chain output {
+        type nat hook output priority 0; policy accept;
+        counter
+    }
+   chain postrouting {
+        type nat hook postrouting priority 100; policy accept;
+        counter
+    }
+}
-- 
cgit v1.2.1