dotfiles/nixos/systems/blowhole/firewall.nix

{ pkgs, config, lib, ... }:
with lib;
let
  wan = "enp7s0f1";
  lan = "enp7s0f0";
  doVPN = "do_vpn0";
in
{
  boot.kernel.sysctl = {
    # Enable forwarding on IPv4 but disable on IPv6
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = false;

    # source: https://github.com/mdlayher/homelab/blob/master/nixos/routnerr-2/configuration.nix#L52
    # By default, not automatically configure any IPv6 addresses.
    "net.ipv6.conf.all.accept_ra" = 0;
    "net.ipv6.conf.all.autoconf" = 0;
    "net.ipv6.conf.all.use_tempaddr" = 0;

    # On WAN, allow IPv6 autoconfiguration and tempory address use.
    # "net.ipv6.conf.${name}.accept_ra" = 2;
    # "net.ipv6.conf.${name}.autoconf" = 1;
  };

  networking = {
    useDHCP = false;
    hostName = "blowhole";
    nameservers =  [ "8.8.8.8" ];
    # Disable the in-built iptable based firewall
    firewall.enable = mkForce false;

    interfaces = {
      # Don't do DHCP on the LAN interface
      "${lan}".useDHCP = false;
      # But do DHCP on the WAN interface
      "${wan}".useDHCP = true;
    };

    wireguard = {
      enable = true;
      interfaces."${doVPN}" =
        config.magic_rb.secret.wireguard."${config.networking.hostName}"
        // {
          listenPort = 6666;
          privateKeyFile = "/var/secrets/${doVPN}.key";
        };
    };

    nftables = {
      enable = true;
       ruleset = ''
        table ip filter {
          chain input_out {
            ct state { established, related } accept comment "Allow established traffic"
            icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
          }

          chain input {
            type filter hook input priority 0; policy drop;

            tcp dport 22 accept comment "Accept SSH traffic always"

            iifname { "${lan}" } accept comment "Allow local network to access the router"
            iifname { "${wan}", "${doVPN}" } jump input_out
          }

          chain forward {
            type filter hook forward priority filter; policy drop;
            iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
            iifname { "${wan}" } oifname { "${lan}" } ct state established, related accept comment "Allow established back to LANs"
          }
        }

        table ip nat {
          chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oifname "${wan}" masquerade
          }
        }

        table ip6 filter {
          chain input {
            type filter hook input priority 0; policy drop;
          }
          chain forward {
            type filter hook forward priority 0; policy drop;
          }
        }
      '';
    };
  };
}
stuff&things Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-08-18 22:55:46 +02:00			`{ pkgs, config, lib, ... }:`
			`with lib;`
			`let`
			`wan = "enp7s0f1";`
			`lan = "enp7s0f0";`
			`doVPN = "do_vpn0";`
			`in`
			`{`
			`boot.kernel.sysctl = {`
			`# Enable forwarding on IPv4 but disable on IPv6`
			`"net.ipv4.conf.all.forwarding" = true;`
			`"net.ipv6.conf.all.forwarding" = false;`

			`# source: https://github.com/mdlayher/homelab/blob/master/nixos/routnerr-2/configuration.nix#L52`
			`# By default, not automatically configure any IPv6 addresses.`
			`"net.ipv6.conf.all.accept_ra" = 0;`
			`"net.ipv6.conf.all.autoconf" = 0;`
			`"net.ipv6.conf.all.use_tempaddr" = 0;`

			`# On WAN, allow IPv6 autoconfiguration and tempory address use.`
			`# "net.ipv6.conf.${name}.accept_ra" = 2;`
			`# "net.ipv6.conf.${name}.autoconf" = 1;`
			`};`

			`networking = {`
			`useDHCP = false;`
			`hostName = "blowhole";`
			`nameservers = [ "8.8.8.8" ];`
			`# Disable the in-built iptable based firewall`
			`firewall.enable = mkForce false;`

			`interfaces = {`
			`# Don't do DHCP on the LAN interface`
			`"${lan}".useDHCP = false;`
			`# But do DHCP on the WAN interface`
			`"${wan}".useDHCP = true;`
			`};`

			`wireguard = {`
			`enable = true;`
			`interfaces."${doVPN}" =`
			`config.magic_rb.secret.wireguard."${config.networking.hostName}"`
			`// {`
			`listenPort = 6666;`
			`privateKeyFile = "/var/secrets/${doVPN}.key";`
			`};`
			`};`

			`nftables = {`
			`enable = true;`
			`ruleset = ''`
			`table ip filter {`
			`chain input_out {`
			`ct state { established, related } accept comment "Allow established traffic"`
			`icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"`
			`}`

			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`tcp dport 22 accept comment "Accept SSH traffic always"`

			`iifname { "${lan}" } accept comment "Allow local network to access the router"`
			`iifname { "${wan}", "${doVPN}" } jump input_out`
			`}`

			`chain forward {`
			`type filter hook forward priority filter; policy drop;`
			`iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"`
			`iifname { "${wan}" } oifname { "${lan}" } ct state established, related accept comment "Allow established back to LANs"`
			`}`
			`}`

			`table ip nat {`
			`chain postrouting {`
			`type nat hook postrouting priority 100; policy accept;`
			`oifname "${wan}" masquerade`
			`}`
			`}`

			`table ip6 filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`
			`}`
			`chain forward {`
			`type filter hook forward priority 0; policy drop;`
			`}`
			`}`
			`'';`
			`};`
			`};`
			`}`