mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-11 17:31:58 +01:00
126 lines
2.9 KiB
Nix
126 lines
2.9 KiB
Nix
|
{
|
||
|
pkgs,
|
||
|
notnft,
|
||
|
...
|
||
|
}: {
|
||
|
services.ifstate.settings.namespaces.dmz = {
|
||
|
interfaces = [
|
||
|
{
|
||
|
name = "br-dmz";
|
||
|
link = {
|
||
|
kind = "bridge";
|
||
|
state = "up";
|
||
|
};
|
||
|
}
|
||
|
{
|
||
|
name = "border";
|
||
|
link = {
|
||
|
kind = "veth";
|
||
|
peer = "dmz";
|
||
|
peer_netns = "border";
|
||
|
master = "br-dmz";
|
||
|
state = "up";
|
||
|
};
|
||
|
}
|
||
|
{
|
||
|
name = "hel";
|
||
|
link = {
|
||
|
kind = "veth";
|
||
|
peer = "dmz";
|
||
|
peer_netns = "hel";
|
||
|
master = "br-dmz";
|
||
|
state = "up";
|
||
|
};
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
|
||
|
# block input, output, forward, only bridge
|
||
|
networking.notnft.namespaces.dmz.rules =
|
||
|
# ---
|
||
|
with notnft.dsl;
|
||
|
with payload;
|
||
|
# ---
|
||
|
ruleset {
|
||
|
filter = add table {family = f: f.inet;} {
|
||
|
input =
|
||
|
add chain {
|
||
|
type = f: f.filter;
|
||
|
hook = f: f.input;
|
||
|
prio = -300;
|
||
|
policy = f: f.drop;
|
||
|
}
|
||
|
[(is.eq meta.iifname "lo") accept]
|
||
|
[
|
||
|
(log {
|
||
|
prefix = "[drop] dmz.input: ";
|
||
|
queue-threshold = 1;
|
||
|
group = 2;
|
||
|
})
|
||
|
drop
|
||
|
];
|
||
|
|
||
|
output =
|
||
|
add chain {
|
||
|
type = f: f.filter;
|
||
|
hook = f: f.output;
|
||
|
prio = -300;
|
||
|
policy = f: f.drop;
|
||
|
}
|
||
|
[
|
||
|
(log {
|
||
|
prefix = "[drop] dmz.output: ";
|
||
|
queue-threshold = 1;
|
||
|
group = 2;
|
||
|
})
|
||
|
drop
|
||
|
];
|
||
|
|
||
|
forward =
|
||
|
add chain {
|
||
|
type = f: f.filter;
|
||
|
hook = f: f.output;
|
||
|
prio = -300;
|
||
|
policy = f: f.drop;
|
||
|
}
|
||
|
[
|
||
|
(log {
|
||
|
prefix = "[drop] dmz.foward: ";
|
||
|
queue-threshold = 1;
|
||
|
group = 2;
|
||
|
})
|
||
|
drop
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.services.ulogd-dmz = {
|
||
|
description = "Ulogd Daemon";
|
||
|
wantedBy = ["multi-user.target"];
|
||
|
wants = ["network-pre.target"];
|
||
|
before = ["network-pre.target"];
|
||
|
after = ["ifstate.service"];
|
||
|
|
||
|
serviceConfig = let
|
||
|
settingsFormat = pkgs.formats.ini {listsAsDuplicateKeys = true;};
|
||
|
settingsFile = settingsFormat.generate "ulogd.conf" {
|
||
|
# This one for logging to local file in emulated syslog format.
|
||
|
global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU";
|
||
|
|
||
|
log2.group = 2;
|
||
|
|
||
|
emu1 = {
|
||
|
file = "/var/log/nft_dmz_drop.log";
|
||
|
sync = 1;
|
||
|
};
|
||
|
};
|
||
|
in {
|
||
|
NetworkNamespacePath = "/var/run/netns/dmz";
|
||
|
ExecStart = "${pkgs.ulogd}/bin/ulogd -c ${settingsFile} --verbose --loglevel ${
|
||
|
toString 5
|
||
|
}";
|
||
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||
|
};
|
||
|
};
|
||
|
}
|