diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 628e76f..c917371 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -1,147 +1,107 @@ { ... }: { networking = { nat.enable = false; - # firewall = { - # enable = true; - # extraCommands = '' - # iptables -A INPUT -i lo -j ACCEPT - # iptables -A INPUT -i wan -j ACCEPT - # iptables -A INPUT -i lan -j ACCEPT - # iptables -A INPUT -i wg_cloonar -j ACCEPT - # iptables -A INPUT -p udp -i infrastructure -m multiport --dports 53,67,68 -j ACCEPT - # iptables -A INPUT -p udp -i smart -m multiport --dports 53,67,68 -j ACCEPT - # iptables -A INPUT -p udp -i multimedia -m multiport --dports 53,67,68 -j ACCEPT - # iptables -A INPUT -p udp -i podman0 -m multiport --dports 53,67,68 -j ACCEPT - # iptables -A INPUT -p tcp -i infrastructure -m multiport --dports 80,443,453 -j ACCEPT - # iptables -A INPUT -p tcp -i smart -m multiport --dports 80,443,453 -j ACCEPT - # iptables -A INPUT -p tcp -i multimedia -m multiport --dports 80,443,453 -j ACCEPT - # iptables -A INPUT -p tcp -i podman0 -m multiport --dports 80,443,453 -j ACCEPT - # - # iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - # - # iptables -A FORWARD -i wan -d 10.42.0.0/16 -j ACCEPT - # iptables -A FORWARD -i lan -d 10.42.0.0/16 -j ACCEPT - # iptables -A FORWARD -i podman0 -d 10.42.0.0/16 -j ACCEPT - # iptables -A FORWARD -i wg_cloonar -d 10.42.0.0/16 -j ACCEPT - # - # iptables -A FORWARD -i lan -o wan -j ACCEPT - # iptables -A FORWARD -i infrastructure -o wan -j ACCEPT - # iptables -A FORWARD -i podman0 -o wan -j ACCEPT - # iptables -A FORWARD -i multimedia -o wan -j ACCEPT - # iptables -A FORWARD -i smart -o wan -j ACCEPT - # iptables -A FORWARD -i wg_cloonar -o wan -j ACCEPT - # - # iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - # - # iptables -t nat -A POSTROUTING -o wan -j MASQUERADE - # iptables -t nat -A POSTROUTING -o wrwks -j MASQUERADE - # iptables -t nat -A POSTROUTING -o wg_epicenter -j MASQUERADE - # iptables -t nat -A POSTROUTING -o wg_ghetto_at -j MASQUERADE - # ''; - # }; - nftables = { enable = true; - ruleset = '' - table inet filter { - # enable flow offloading for better throughput - # flowtable f { - # hook ingress priority 0; - # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; - # } + tables = { + "cloonar-fw" = { + family = "inet"; + content = '' + chain output { + type filter hook output priority 100; policy accept; + } - chain output { - type filter hook output priority 100; policy accept; - } + chain input { + type filter hook input priority filter; policy drop; - chain input { - type filter hook input priority filter; policy drop; + # accept any localhost traffic + iifname lo accept - # accept any localhost traffic - iifname lo accept + # Allow trusted networks to access the router + iifname { + "wan", # disable when final + "lan", + "wg_cloonar" + } counter accept - # Allow trusted networks to access the router - iifname { - "wan", # disable when final - "lan", - "wg_cloonar" - } counter accept + # Allow networks to access the dns and dhcp + iifname { + "lan", + "vb-*", + "podman0", + "infrastructure", + "wg_cloonar", + "smart", + "multimedia" + } udp dport { 53, 67, 68 } counter accept + iifname { + "lan", + "podman0", + "vb-*", + "infrastructure", + "wg_cloonar", + "smart", + "multimedia" + } tcp dport { 80, 443, 853 } counter accept - # Allow networks to access the dns and dhcp - iifname { - "lan", - "vb-*", - "podman0", - "infrastructure", - "wg_cloonar", - "smart", - "multimedia" - } udp dport { 53, 67, 68 } counter accept - iifname { - "lan", - "podman0", - "vb-*", - "infrastructure", - "wg_cloonar", - "smart", - "multimedia" - } tcp dport { 80, 443, 853 } counter accept + # Accept mDNS for avahi reflection + # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept + # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept - # Accept mDNS for avahi reflection - # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept - # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept + # Allow returning traffic from wg_cloonar and drop everthing else + iifname "wg_cloonar" ct state { established, related } counter accept + iifname "wg_cloonar" drop - # Allow returning traffic from wg_cloonar and drop everthing else - iifname "wg_cloonar" ct state { established, related } counter accept - iifname "wg_cloonar" drop + iifname "wan" ct state { established, related } accept comment "Allow established traffic" + iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + } - iifname "wan" ct state { established, related } accept comment "Allow established traffic" - iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" - iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" - } + chain forward { + type filter hook forward priority filter; policy drop; - chain forward { - type filter hook forward priority filter; policy drop; + # enable flow offloading for better throughput + # ip protocol { tcp, udp } flow offload @f - # enable flow offloading for better throughput - # ip protocol { tcp, udp } flow offload @f + # multimedia airplay + iifname "multimedia" oifname { "lan" } counter accept - # multimedia airplay - iifname "multimedia" oifname { "lan" } counter accept + # lan and vpn to any + # TODO: disable wan when finished + iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept + iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept - # lan and vpn to any - # TODO: disable wan when finished - iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept - iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept + # Allow trusted network WAN access + iifname { + "lan", + "infrastructure", + "vb-*", + "podman0", + "multimedia", + "smart", + "wg_cloonar", + } oifname { + "wan", + } counter accept comment "Allow trusted LAN to WAN" + } + ''; + }; + "cloonar-nat" = { + family = "ip"; + content = '' + chain prerouting { + type nat hook prerouting priority filter; policy accept; + } - # Allow trusted network WAN access - iifname { - "lan", - "infrastructure", - "vb-*", - "podman0", - "multimedia", - "smart", - "wg_cloonar", - } oifname { - "wan", - } counter accept comment "Allow trusted LAN to WAN" - } - } - - table ip nat { - chain prerouting { - type nat hook prerouting priority filter; policy accept; - } - - # Setup NAT masquerading on external interfaces - chain postrouting { - type nat hook postrouting priority filter; policy accept; - oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" - } - } - ''; + # Setup NAT masquerading on external interfaces + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade + # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" + } + '' + }; + }; }; }; }