Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions
nixos/applications/firewall.nix

134 lines
4 KiB
Nix
Raw Blame History

{lib, pkgs, config, ...}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = {
skynet_firewall = {
enable = lib.mkEnableOption {
default = false;
example = true;
description = "Skynet Firewall";
type = lib.types.bool;
};
forward = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of routes to forward
'';
};
own = {
ip = lib.mkOption {
default = "127.0.0.1";
type = lib.types.str;
description = ''
IP of the firewall
'';
};
ports = {
tcp = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = ''
A list of TCP ports for the machiene running the firewall
'';
};
udp = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = ''
A list of UDP ports for the machiene running the firewall
'';
};
};
};
};
};
config = lib.mkIf config.skynet_firewall.enable {
# disable default firewall to enable nftables
networking.firewall.enable = false;
networking.nftables.enable = true;
# fules for the firewall
# beware of EOL conversion.
networking.nftables.ruleset =
''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
# forward anything with port 2222 to this specific ip
# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
# forward http/s traffic from 76 to 123
# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# the internal network
ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
}
chain output {
type nat hook output priority -100; policy accept;
}
}
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
# for the host machiene
# TCP
${lib.strings.concatMapStrings (x: x + "\n") (map (port: "tcp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.tcp)}
# UDP
${lib.strings.concatMapStrings (x: x + "\n") (map (port: "udp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.udp)}
}
chain forward {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump rejects
# accept these ip/ports
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
# can basically make each machiene responsibile for their own forwarding (in config at least)
${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward}
counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
chain output {
type filter hook output priority filter; policy accept;
# no outgoing limits (for now)
}
chain fail2ban-ssh {
# ban these
# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain rejects {
# Reject all these
# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
}
'';
};
}
Reference in a new issue View git blame Copy permalink