feat: basic firewall using the previous

applications/firewall.nix

@@ -1,51 +1,73 @@
 {
 
+  networking.firewall.enable = false;
   networking.nftables.enable = true;
 
-  # fules for the
-  networking.nftables.ruleset = ''
+  # fules for the firewall
+  # beware of EOL conversion.
+  networking.nftables.ruleset =
+    ''
     # Check out https://wiki.nftables.org/ for better documentation.
     # Table for both IPv4 and IPv6.
-    table inet filter {
-      # Block all incomming connections traffic except SSH and "ping".
-      chain input {
-        type filter hook input priority 0;
+    table ip nat {
+    	chain prerouting {
+    		type nat hook prerouting priority dstnat; policy accept;
 
-        # accept any localhost traffic
-        iifname lo accept
+    		# forward anything with port 2222 to this specific ip
+    		# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
 
-        # accept traffic originated from us
-        ct state {established, related} accept
+    		# forward http/s traffic from 76 to 123
+    		# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
+    		# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
+    	}
 
-        # ICMP
-        # routers may also want: mld-listener-query, nd-router-solicit
-        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
-        ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+    	chain postrouting {
+    		type nat hook postrouting priority srcnat; policy accept;
 
-        # allow "ping"
-        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
-        ip protocol icmp icmp type echo-request accept
+    		# the internal network
+    		ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
+    	}
 
-        # accept SSH connections (required for a server)
-        tcp dport 22 accept
-        # tcp dport 21 accept
-
-        # count and drop any other traffic
-        counter drop
-      }
-
-      # Allow all outgoing connections.
-      chain output {
-        type filter hook output priority 0;
-        accept
-      }
-
-      chain forward {
-        type filter hook forward priority 0;
-        accept
-      }
+    	chain output {
+    		type nat hook output priority -100; policy accept;
+    	}
     }
-  '';
+
+    table ip filter {
+    	chain input {
+    		type filter hook input priority filter; policy accept;
+    		tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh
+    		tcp dport 22 counter packets 0 bytes 0 accept
+    	}
+
+    	chain forward {
+    		type filter hook forward priority filter; policy drop;
+    		counter packets 0 bytes 0 jump rejects
+
+        # accept these ip/ports
+    		# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
+
+    		counter packets 0 bytes 0 reject with icmp type admin-prohibited
+    	}
+
+    	chain output {
+    		type filter hook output priority filter; policy accept;
+
+    		# no outgoing limits (for now)
+    	}
+
+    	chain fail2ban-ssh {
+    	  # ban these
+    		# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
+    		counter packets 0 bytes 0 return
+    	}
+
+    	chain rejects {
+    	  # Reject all these
+    		# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
+    	}
+    }
+    '';
 
 
 }

machines/test01.nix

@@ -6,7 +6,7 @@
     ./base.nix
 
     # applications for this particular server
-    ./applications/firewall.nix
+    ../applications/firewall.nix
   ];
 
   environment.systemPackages = [