daeva: add nftables service

Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
author: Kenny Ballou <kb@devnulllabs.io> 2022-02-20 15:09:11 -0700
committer: Kenny Ballou <kb@devnulllabs.io> 2022-03-14 11:14:48 -0600
commit: 402dda18a09335a5ea807a721a204a6e4eafa79b (patch)
tree: 994dde2a49aa9e5d588dec57c70b6b12f35a7837 /systems
parent: d08003a2cc32627cfba35080ab36e91f408232db (diff)
download: dotfiles-402dda18a09335a5ea807a721a204a6e4eafa79b.tar.gz
dotfiles-402dda18a09335a5ea807a721a204a6e4eafa79b.tar.xz
2 files changed, 74 insertions, 0 deletions
diff --git a/systems/daeva.scm b/systems/daeva.scm
index 522d3df9..da5247fa 100644
--- a/systems/daeva.scm
+++ b/systems/daeva.scm
@@ -27,6 +27,7 @@
   #:use-module (kbg packages profiles desktop)
   #:use-module (kbg packages gnome)
   #:use-module (kbg services desktop)
+  #:use-module (kbg services nftables)
   #:use-module (kbg system xorg))
 
 (define nix-gc-job
@@ -152,6 +153,7 @@
                                      (energy-perf-policy-on-bat "powersave")
                                      (pcie-aspm-on-ac "performance")
                                      (pcie-aspm-on-bat "powersupersave")))
+                           (nftables-service "daeva")
                            (simple-service 'my-cron-jobs
                                            mcron-service-type
                                            (list garbage-collector-job
diff --git a/systems/daeva/nftables-rules.nft b/systems/daeva/nftables-rules.nft
new file mode 100644
index 00000000..4679ad49
--- /dev/null
+++ b/systems/daeva/nftables-rules.nft
@@ -0,0 +1,72 @@
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid counter drop comment "drop invalid packets"
+        ct state established,related counter accept comment "accept related connections"
+        iif lo counter accept
+        iif != lo ip daddr 127.0.0.1/8 counter drop
+        iif != lo ip6 daddr ::1/128 counter drop
+        ip protocol icmp counter accept
+        ip6 nexthdr ipv6-icmp counter accept
+        udp dport domain ip saddr 172.16.0.0/12 counter accept
+        tcp dport 3000 ip saddr 127.0.0.1/8 counter accept
+        tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
+        tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
+        udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
+        tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        counter
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state established,related counter accept
+        counter
+    }
+
+    chain output {
+        type filter hook output priority 0; policy drop;
+        ct state established,related counter accept
+        icmp type echo-request counter accept
+        icmp type echo-reply counter accept
+        ip daddr 127.0.0.0/8 counter accept
+        ip6 daddr ::1 counter accept
+        udp dport domain counter accept
+        tcp dport 853 counter accept comment "DNS over TLS"
+        udp dport 853 counter accept comment "DNS over TLS"
+        tcp dport http counter accept
+        tcp dport https counter accept
+        udp dport https counter accept
+        tcp dport ssh counter accept
+        tcp dport bootps counter accept
+        udp dport bootps counter accept
+        tcp dport ntp counter accept
+        udp dport ntp counter accept
+        tcp dport nntps counter accept
+        udp dport nntps counter accept
+        tcp dport submission counter accept
+        tcp dport imaps counter accept
+        tcp dport 2222 counter accept
+        tcp dport hkp counter accept
+        udp dport hkp counter accept
+        tcp dport 9100 counter accept
+        tcp dport git counter accept
+        udp dport git counter accept
+        tcp dport rsync counter accept
+        udp dport rsync counter accept
+        tcp dport 8000 counter accept
+        tcp dport http-alt counter accept
+        udp dport openvpn counter accept
+        tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        tcp dport 5222 counter accept comment "XMPP"
+        tcp dport 6697 counter accept comment "IRC"
+        tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        udp dport 19302-19309 counter accept comment "Google Meet Ports"
+        tcp dport 1714-1764 counter accept comment "KDEConnect"
+        udp dport 1714-1764 counter accept comment "KDEConnect"
+        counter
+    }
+}
author	Kenny Ballou <kb@devnulllabs.io>	2022-02-20 15:09:11 -0700
committer	Kenny Ballou <kb@devnulllabs.io>	2022-03-14 11:14:48 -0600
commit	402dda18a09335a5ea807a721a204a6e4eafa79b (patch)
tree	994dde2a49aa9e5d588dec57c70b6b12f35a7837 /systems
parent	d08003a2cc32627cfba35080ab36e91f408232db (diff)
download	dotfiles-402dda18a09335a5ea807a721a204a6e4eafa79b.tar.gz dotfiles-402dda18a09335a5ea807a721a204a6e4eafa79b.tar.xz