From f1a484eaff6f44d0ed9baa90e75fba3716a2fb8e Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Fri, 13 Jan 2023 18:34:19 +0000 Subject: [PATCH] feat: basic firewall using the previous --- applications/firewall.nix | 94 ++++++++++++++++++++++++--------------- machines/test01.nix | 2 +- 2 files changed, 59 insertions(+), 37 deletions(-) diff --git a/applications/firewall.nix b/applications/firewall.nix index 83fd939..cb4fe34 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -1,51 +1,73 @@ { + networking.firewall.enable = false; networking.nftables.enable = true; - # fules for the - networking.nftables.ruleset = '' + # fules for the firewall + # beware of EOL conversion. + networking.nftables.ruleset = + '' # Check out https://wiki.nftables.org/ for better documentation. # Table for both IPv4 and IPv6. - table inet filter { - # Block all incomming connections traffic except SSH and "ping". - chain input { - type filter hook input priority 0; + table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; - # accept any localhost traffic - iifname lo accept + # forward anything with port 2222 to this specific ip + # tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22 - # accept traffic originated from us - ct state {established, related} accept + # forward http/s traffic from 76 to 123 + # ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80 + # ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443 + } - # ICMP - # routers may also want: mld-listener-query, nd-router-solicit - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept - ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; - # allow "ping" - ip6 nexthdr icmpv6 icmpv6 type echo-request accept - ip protocol icmp icmp type echo-request accept + # the internal network + ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade + } - # accept SSH connections (required for a server) - tcp dport 22 accept - # tcp dport 21 accept - - # count and drop any other traffic - counter drop - } - - # Allow all outgoing connections. - chain output { - type filter hook output priority 0; - accept - } - - chain forward { - type filter hook forward priority 0; - accept - } + chain output { + type nat hook output priority -100; policy accept; + } } - ''; + + table ip filter { + chain input { + type filter hook input priority filter; policy accept; + tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh + tcp dport 22 counter packets 0 bytes 0 accept + } + + chain forward { + type filter hook forward priority filter; policy drop; + counter packets 0 bytes 0 jump rejects + + # accept these ip/ports + # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept + + counter packets 0 bytes 0 reject with icmp type admin-prohibited + } + + chain output { + type filter hook output priority filter; policy accept; + + # no outgoing limits (for now) + } + + chain fail2ban-ssh { + # ban these + # ip saddr 104.236.151.120 counter packets 0 bytes 0 drop + counter packets 0 bytes 0 return + } + + chain rejects { + # Reject all these + # ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited + } + } + ''; } diff --git a/machines/test01.nix b/machines/test01.nix index 641f43d..194cba6 100644 --- a/machines/test01.nix +++ b/machines/test01.nix @@ -6,7 +6,7 @@ ./base.nix # applications for this particular server - ./applications/firewall.nix + ../applications/firewall.nix ]; environment.systemPackages = [