Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: basic firewall using the previous

Browse source
This commit is contained in:
silver 2023-01-13 18:34:19 +00:00
parent 7963e3a9db
commit f1a484eaff
2 changed files with 59 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
applications/firewall.nix
View file

@ -1,48 +1,70 @@
{ {
networking.firewall.enable = false;
networking.nftables.enable = true; networking.nftables.enable = true;
# fules for the # fules for the firewall
networking.nftables.ruleset = '' # beware of EOL conversion.
networking.nftables.ruleset =
''
# Check out https://wiki.nftables.org/ for better documentation. # Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6. # Table for both IPv4 and IPv6.
table inet filter { table ip nat {
# Block all incomming connections traffic except SSH and "ping". chain prerouting {
chain input { type nat hook prerouting priority dstnat; policy accept;
type filter hook input priority 0;
# accept any localhost traffic # forward anything with port 2222 to this specific ip
iifname lo accept # tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
# accept traffic originated from us # forward http/s traffic from 76 to 123
ct state {established, related} accept # ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
# ICMP }
# routers may also want: mld-listener-query, nd-router-solicit
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept chain postrouting {
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept type nat hook postrouting priority srcnat; policy accept;
# allow "ping" # the internal network
ip6 nexthdr icmpv6 icmpv6 type echo-request accept ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
ip protocol icmp icmp type echo-request accept
# accept SSH connections (required for a server)
tcp dport 22 accept
# tcp dport 21 accept
# count and drop any other traffic
counter drop
} }
# Allow all outgoing connections.
chain output { chain output {
type filter hook output priority 0; type nat hook output priority -100; policy accept;
accept }
}
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh
tcp dport 22 counter packets 0 bytes 0 accept
} }
chain forward { chain forward {
type filter hook forward priority 0; type filter hook forward priority filter; policy drop;
accept counter packets 0 bytes 0 jump rejects
# accept these ip/ports
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
chain output {
type filter hook output priority filter; policy accept;
# no outgoing limits (for now)
}
chain fail2ban-ssh {
# ban these
# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain rejects {
# Reject all these
# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
} }
} }
''; '';

2
machines/test01.nix
View file

@ -6,7 +6,7 @@
./base.nix ./base.nix
# applications for this particular server # applications for this particular server
./applications/firewall.nix ../applications/firewall.nix
]; ];
environment.systemPackages = [ environment.systemPackages = [