dotfiles/nixos/systems/hela/networking/dmz.nix
magic_rb c234160635
Border router, hela
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-09-04 22:39:43 +02:00

125 lines
2.9 KiB
Nix

{
pkgs,
notnft,
...
}: {
services.ifstate.settings.namespaces.dmz = {
interfaces = [
{
name = "br-dmz";
link = {
kind = "bridge";
state = "up";
};
}
{
name = "border";
link = {
kind = "veth";
peer = "dmz";
peer_netns = "border";
master = "br-dmz";
state = "up";
};
}
{
name = "hel";
link = {
kind = "veth";
peer = "dmz";
peer_netns = "hel";
master = "br-dmz";
state = "up";
};
}
];
};
# block input, output, forward, only bridge
networking.notnft.namespaces.dmz.rules =
# ---
with notnft.dsl;
with payload;
# ---
ruleset {
filter = add table {family = f: f.inet;} {
input =
add chain {
type = f: f.filter;
hook = f: f.input;
prio = -300;
policy = f: f.drop;
}
[(is.eq meta.iifname "lo") accept]
[
(log {
prefix = "[drop] dmz.input: ";
queue-threshold = 1;
group = 2;
})
drop
];
output =
add chain {
type = f: f.filter;
hook = f: f.output;
prio = -300;
policy = f: f.drop;
}
[
(log {
prefix = "[drop] dmz.output: ";
queue-threshold = 1;
group = 2;
})
drop
];
forward =
add chain {
type = f: f.filter;
hook = f: f.output;
prio = -300;
policy = f: f.drop;
}
[
(log {
prefix = "[drop] dmz.foward: ";
queue-threshold = 1;
group = 2;
})
drop
];
};
};
systemd.services.ulogd-dmz = {
description = "Ulogd Daemon";
wantedBy = ["multi-user.target"];
wants = ["network-pre.target"];
before = ["network-pre.target"];
after = ["ifstate.service"];
serviceConfig = let
settingsFormat = pkgs.formats.ini {listsAsDuplicateKeys = true;};
settingsFile = settingsFormat.generate "ulogd.conf" {
# This one for logging to local file in emulated syslog format.
global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU";
log2.group = 2;
emu1 = {
file = "/var/log/nft_dmz_drop.log";
sync = 1;
};
};
in {
NetworkNamespacePath = "/var/run/netns/dmz";
ExecStart = "${pkgs.ulogd}/bin/ulogd -c ${settingsFile} --verbose --loglevel ${
toString 5
}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
};
}