diff options
author | Kenny Ballou <kb@devnulllabs.io> | 2022-02-20 15:09:11 -0700 |
---|---|---|
committer | Kenny Ballou <kb@devnulllabs.io> | 2022-03-14 11:14:48 -0600 |
commit | 402dda18a09335a5ea807a721a204a6e4eafa79b (patch) | |
tree | 994dde2a49aa9e5d588dec57c70b6b12f35a7837 /systems | |
parent | d08003a2cc32627cfba35080ab36e91f408232db (diff) | |
download | dotfiles-402dda18a09335a5ea807a721a204a6e4eafa79b.tar.gz dotfiles-402dda18a09335a5ea807a721a204a6e4eafa79b.tar.xz |
daeva: add nftables service
Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
Diffstat (limited to 'systems')
-rw-r--r-- | systems/daeva.scm | 2 | ||||
-rw-r--r-- | systems/daeva/nftables-rules.nft | 72 |
2 files changed, 74 insertions, 0 deletions
diff --git a/systems/daeva.scm b/systems/daeva.scm index 522d3df9..da5247fa 100644 --- a/systems/daeva.scm +++ b/systems/daeva.scm @@ -27,6 +27,7 @@ #:use-module (kbg packages profiles desktop) #:use-module (kbg packages gnome) #:use-module (kbg services desktop) + #:use-module (kbg services nftables) #:use-module (kbg system xorg)) (define nix-gc-job @@ -152,6 +153,7 @@ (energy-perf-policy-on-bat "powersave") (pcie-aspm-on-ac "performance") (pcie-aspm-on-bat "powersupersave"))) + (nftables-service "daeva") (simple-service 'my-cron-jobs mcron-service-type (list garbage-collector-job diff --git a/systems/daeva/nftables-rules.nft b/systems/daeva/nftables-rules.nft new file mode 100644 index 00000000..4679ad49 --- /dev/null +++ b/systems/daeva/nftables-rules.nft @@ -0,0 +1,72 @@ +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + ct state invalid counter drop comment "drop invalid packets" + ct state established,related counter accept comment "accept related connections" + iif lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + ip protocol icmp counter accept + ip6 nexthdr ipv6-icmp counter accept + udp dport domain ip saddr 172.16.0.0/12 counter accept + tcp dport 3000 ip saddr 127.0.0.1/8 counter accept + tcp dport 8000 ip saddr 127.0.0.1/8 counter accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + counter + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related counter accept + counter + } + + chain output { + type filter hook output priority 0; policy drop; + ct state established,related counter accept + icmp type echo-request counter accept + icmp type echo-reply counter accept + ip daddr 127.0.0.0/8 counter accept + ip6 daddr ::1 counter accept + udp dport domain counter accept + tcp dport 853 counter accept comment "DNS over TLS" + udp dport 853 counter accept comment "DNS over TLS" + tcp dport http counter accept + tcp dport https counter accept + udp dport https counter accept + tcp dport ssh counter accept + tcp dport bootps counter accept + udp dport bootps counter accept + tcp dport ntp counter accept + udp dport ntp counter accept + tcp dport nntps counter accept + udp dport nntps counter accept + tcp dport submission counter accept + tcp dport imaps counter accept + tcp dport 2222 counter accept + tcp dport hkp counter accept + udp dport hkp counter accept + tcp dport 9100 counter accept + tcp dport git counter accept + udp dport git counter accept + tcp dport rsync counter accept + udp dport rsync counter accept + tcp dport 8000 counter accept + tcp dport http-alt counter accept + udp dport openvpn counter accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + tcp dport 5222 counter accept comment "XMPP" + tcp dport 6697 counter accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" + udp dport 19302-19309 counter accept comment "Google Meet Ports" + tcp dport 1714-1764 counter accept comment "KDEConnect" + udp dport 1714-1764 counter accept comment "KDEConnect" + counter + } +} |