feat: basic firewall using the previous
This commit is contained in:
parent
7963e3a9db
commit
f1a484eaff
2 changed files with 59 additions and 37 deletions
|
@ -1,48 +1,70 @@
|
|||
{
|
||||
|
||||
networking.firewall.enable = false;
|
||||
networking.nftables.enable = true;
|
||||
|
||||
# fules for the
|
||||
networking.nftables.ruleset = ''
|
||||
# fules for the firewall
|
||||
# beware of EOL conversion.
|
||||
networking.nftables.ruleset =
|
||||
''
|
||||
# Check out https://wiki.nftables.org/ for better documentation.
|
||||
# Table for both IPv4 and IPv6.
|
||||
table inet filter {
|
||||
# Block all incomming connections traffic except SSH and "ping".
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
|
||||
# accept any localhost traffic
|
||||
iifname lo accept
|
||||
# forward anything with port 2222 to this specific ip
|
||||
# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
|
||||
|
||||
# accept traffic originated from us
|
||||
ct state {established, related} accept
|
||||
|
||||
# ICMP
|
||||
# routers may also want: mld-listener-query, nd-router-solicit
|
||||
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
|
||||
# allow "ping"
|
||||
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
|
||||
ip protocol icmp icmp type echo-request accept
|
||||
|
||||
# accept SSH connections (required for a server)
|
||||
tcp dport 22 accept
|
||||
# tcp dport 21 accept
|
||||
|
||||
# count and drop any other traffic
|
||||
counter drop
|
||||
# forward http/s traffic from 76 to 123
|
||||
# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
|
||||
# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
|
||||
# the internal network
|
||||
ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
|
||||
}
|
||||
|
||||
# Allow all outgoing connections.
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
accept
|
||||
type nat hook output priority -100; policy accept;
|
||||
}
|
||||
}
|
||||
|
||||
table ip filter {
|
||||
chain input {
|
||||
type filter hook input priority filter; policy accept;
|
||||
tcp dport 22 counter packets 0 bytes 0 jump fail2ban-ssh
|
||||
tcp dport 22 counter packets 0 bytes 0 accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
accept
|
||||
type filter hook forward priority filter; policy drop;
|
||||
counter packets 0 bytes 0 jump rejects
|
||||
|
||||
# accept these ip/ports
|
||||
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
|
||||
|
||||
counter packets 0 bytes 0 reject with icmp type admin-prohibited
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority filter; policy accept;
|
||||
|
||||
# no outgoing limits (for now)
|
||||
}
|
||||
|
||||
chain fail2ban-ssh {
|
||||
# ban these
|
||||
# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain rejects {
|
||||
# Reject all these
|
||||
# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
|
||||
}
|
||||
}
|
||||
'';
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
./base.nix
|
||||
|
||||
# applications for this particular server
|
||||
./applications/firewall.nix
|
||||
../applications/firewall.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
|
|
Loading…
Reference in a new issue