mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-11 17:31:58 +01:00
2bf58cabcf
The really complex nftable rules I have seem to not work or worse, segfault with nftables 1.09 which is the version in `nixpkgs-stable`. Therefore we need to pull in 1.10 from `nixpkgs-unstable` for now. Signed-off-by: magic_rb <magic_rb@redalder.org>
232 lines
5.1 KiB
Nix
232 lines
5.1 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
inputs',
|
|
notnft,
|
|
...
|
|
}: {
|
|
imports = [
|
|
./networking/border.nix
|
|
./networking/hel.nix
|
|
./networking/dmz.nix
|
|
./hostapd.nix
|
|
];
|
|
|
|
networking.hostName = "hela";
|
|
networking = {
|
|
useDHCP = false;
|
|
firewall.enable = false;
|
|
# interfaces.ppp0.useDHCP = true;
|
|
};
|
|
|
|
# systemd.services.dhcpcd = {
|
|
# bindsTo = ["sys-devices-virtual-net-ppp0.device"];
|
|
# after = ["sys-devices-virtual-net-ppp0.device"];
|
|
# };
|
|
|
|
boot.kernel.sysctl = {
|
|
# Enable forwarding on IPv4 but disable on IPv6
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
"net.ipv6.conf.all.forwarding" = false;
|
|
};
|
|
|
|
services.ifstate = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
routing.routes = [
|
|
{
|
|
to = "0.0.0.0/0";
|
|
via = "10.1.0.2";
|
|
dev = "hel";
|
|
}
|
|
];
|
|
|
|
interfaces = [
|
|
{
|
|
name = "sw";
|
|
link = {
|
|
kind = "physical";
|
|
permaddr = config.bananapi.ethaddr.sw.colon;
|
|
state = "up";
|
|
mtu = 1516;
|
|
};
|
|
}
|
|
{
|
|
name = "sfp0";
|
|
link = {
|
|
kind = "physical";
|
|
permaddr = config.bananapi.ethaddr.sfp0.colon;
|
|
state = "up";
|
|
};
|
|
}
|
|
{
|
|
name = "sfp1";
|
|
link = {
|
|
kind = "physical";
|
|
permaddr = config.bananapi.ethaddr.sfp1.colon;
|
|
state = "up";
|
|
};
|
|
}
|
|
{
|
|
name = "wan";
|
|
link = {
|
|
kind = "dsa";
|
|
address = config.bananapi.ethaddr.wan.colon;
|
|
link = "sw";
|
|
state = "up";
|
|
mtu = 1512;
|
|
};
|
|
}
|
|
{
|
|
name = "slan";
|
|
link = {
|
|
kind = "dsa";
|
|
address = config.bananapi.ethaddr.slan.colon;
|
|
link = "sw";
|
|
state = "up";
|
|
mtu = 1512;
|
|
};
|
|
}
|
|
{
|
|
name = "hel";
|
|
link = {
|
|
kind = "veth";
|
|
peer = "hela";
|
|
peer_netns = "hel";
|
|
state = "up";
|
|
};
|
|
addresses = [
|
|
"10.1.0.1/19"
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.notnft.enable = true;
|
|
networking.notnft.package = inputs'.nixpkgs-unstable.legacyPackages."aarch64-linux".nftables;
|
|
networking.notnft.namespaces.default.rules =
|
|
# ---
|
|
with notnft.dsl;
|
|
with payload;
|
|
# ---
|
|
ruleset {
|
|
filter = add table {family = f: f.inet;} {
|
|
postrouting = add chain {
|
|
type = f: f.nat;
|
|
hook = f: f.postrouting;
|
|
prio = 100;
|
|
policy = f: f.accept;
|
|
};
|
|
|
|
prerouting = add chain {
|
|
type = f: f.nat;
|
|
hook = f: f.prerouting;
|
|
prio = 100;
|
|
policy = f: f.accept;
|
|
};
|
|
|
|
input =
|
|
add chain {
|
|
type = f: f.filter;
|
|
hook = f: f.input;
|
|
prio = -300;
|
|
policy = f: f.drop;
|
|
}
|
|
[(is.eq ip.saddr (set [(cidr "10.1.0.0/19")])) (is.eq ip.daddr "10.1.0.1") (is.eq ip.protocol (f: f.icmp)) accept]
|
|
[(is.eq meta.iifname "lo") accept]
|
|
# accept related, established and drop invalid
|
|
[
|
|
(vmap ct.state {
|
|
established = accept;
|
|
related = accept;
|
|
invalid = drop;
|
|
})
|
|
]
|
|
[
|
|
(is.eq ip.daddr "10.1.0.1")
|
|
(is.eq th.dport 22)
|
|
accept
|
|
]
|
|
[
|
|
(log {
|
|
prefix = "[drop] root.input: ";
|
|
queue-threshold = 1;
|
|
group = 2;
|
|
})
|
|
];
|
|
|
|
forward =
|
|
add chain {
|
|
type = f: f.filter;
|
|
hook = f: f.forward;
|
|
prio = -300;
|
|
policy = f: f.drop;
|
|
}
|
|
[
|
|
(log {
|
|
prefix = "[drop] root.forward: ";
|
|
queue-threshold = 1;
|
|
group = 2;
|
|
})
|
|
];
|
|
|
|
output = add chain {
|
|
type = f: f.filter;
|
|
hook = f: f.output;
|
|
prio = -300;
|
|
policy = f: f.accept;
|
|
};
|
|
};
|
|
};
|
|
|
|
services.ulogd = {
|
|
enable = true;
|
|
settings = {
|
|
# This one for logging to local file in emulated syslog format.
|
|
global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU";
|
|
|
|
log2.group = 2;
|
|
|
|
emu1 = {
|
|
file = "/var/log/nft_root_drop.log";
|
|
sync = 1;
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.sshd = {
|
|
after = ["ifstate.service"];
|
|
};
|
|
|
|
systemd.services.kea-dhcp4-server = {
|
|
after = ["ifstate.service"];
|
|
};
|
|
|
|
services.kea.dhcp4 = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
interfaces-config.interfaces = [
|
|
"hel"
|
|
];
|
|
|
|
subnet4 = [
|
|
{
|
|
pools = [
|
|
{pool = "10.1.0.3 - 10.1.0.254";} # dedicate a /24 to dhcp
|
|
];
|
|
id = 1;
|
|
subnet = "10.1.0.0/19";
|
|
option-data = [
|
|
{
|
|
name = "routers";
|
|
data = "10.1.0.2";
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|