yate: configure firewall

2022-07-20 09:20:39 +02:00 · 2022-07-20 09:20:39 +02:00 · 4741d1b67c
commit 4741d1b67c
parent a70b6b35f1
1 changed files with 47 additions and 1 deletions
--- a/hosts/yate/configuration.nix
+++ b/hosts/yate/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports =
@ -91,6 +91,52 @@
    };
  };

+  networking.firewall.enable = false;
+  networking.nftables = {
+    enable = true;
+    ruleset = let
+        tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
+    in ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0; policy drop;
+
+          iifname lo accept
+          ct state {established, related} accept
+
+          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+          ip protocol icmp icmp type echo-request accept
+
+          tcp dport 22 accept
+          tcp dport { ${tcpPorts} } accept
+
+          iif {vlan132, vlan133} accept
+
+          udp dport 5060 ip saddr { 10.42.10.9 } accept
+          udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::9 } accept
+        }
+
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+
+          ct state {established, related} accept
+          iif {vlan132, vlan133} accept
+
+          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+          ip protocol icmp icmp type echo-request accept
+
+          ip saddr 10.42.201.0/24 accept
+        }
+      }
+    '';
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave