diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 4b5f753..19429f2 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -3,105 +3,208 @@ nat.enable = false; nftables = { enable = true; - tables = { - "cloonar-fw" = { - family = "inet"; - content = '' - chain output { - type filter hook output priority 100; policy accept; - } + # tables = { + # "cloonar-fw" = { + # family = "inet"; + # content = '' + # chain output { + # type filter hook output priority 100; policy accept; + # } + # + # chain input { + # type filter hook input priority filter; policy drop; + # + # # accept any localhost traffic + # iifname lo accept + # + # # Allow trusted networks to access the router + # iifname { + # "wan", # disable when final + # "lan", + # "wg_cloonar" + # } counter accept + # + # # Allow networks to access the dns and dhcp + # iifname { + # "lan", + # "vb-*", + # "podman0", + # "infrastructure", + # "wg_cloonar", + # "smart", + # "multimedia" + # } udp dport { 53, 67, 68 } counter accept + # iifname { + # "lan", + # "podman0", + # "vb-*", + # "infrastructure", + # "wg_cloonar", + # "smart", + # "multimedia" + # } tcp dport { 80, 443, 853 } counter accept + # + # # Accept mDNS for avahi reflection + # # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept + # # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept + # + # # Allow returning traffic from wg_cloonar and drop everthing else + # iifname "wg_cloonar" ct state { established, related } counter accept + # iifname "wg_cloonar" drop + # + # iifname "wan" ct state { established, related } accept comment "Allow established traffic" + # iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + # iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + # } + # + # chain forward { + # type filter hook forward priority filter; policy drop; + # + # # enable flow offloading for better throughput + # # ip protocol { tcp, udp } flow offload @f + # + # # multimedia airplay + # iifname "multimedia" oifname { "lan" } counter accept + # + # # lan and vpn to any + # # TODO: disable wan when finished + # iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept + # iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept + # + # # Allow trusted network WAN access + # iifname { + # "lan", + # "infrastructure", + # "vb-*", + # "podman0", + # "multimedia", + # "smart", + # "wg_cloonar", + # } oifname { + # "wan", + # } counter accept comment "Allow trusted LAN to WAN" + # } + # ''; + # }; + # "cloonar-nat" = { + # family = "ip"; + # content = '' + # chain prerouting { + # type nat hook prerouting priority filter; policy accept; + # } + # + # # Setup NAT masquerading on external interfaces + # chain postrouting { + # type nat hook postrouting priority filter; policy accept; + # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade + # # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" + # } + # '' + # }; + # }; + }; + nftables = { + enable = true; + ruleset = '' + table inet filter { + # enable flow offloading for better throughput + # flowtable f { + # hook ingress priority 0; + # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; + # } - chain input { - type filter hook input priority filter; policy drop; + chain output { + type filter hook output priority 100; policy accept; + } - # accept any localhost traffic - iifname lo accept + chain input { + type filter hook input priority filter; policy drop; - # Allow trusted networks to access the router - iifname { - "wan", # disable when final - "lan", - "wg_cloonar" - } counter accept + # accept any localhost traffic + iifname lo accept - # Allow networks to access the dns and dhcp - iifname { - "lan", - "vb-*", - "podman0", - "infrastructure", - "wg_cloonar", - "smart", - "multimedia" - } udp dport { 53, 67, 68 } counter accept - iifname { - "lan", - "podman0", - "vb-*", - "infrastructure", - "wg_cloonar", - "smart", - "multimedia" - } tcp dport { 80, 443, 853 } counter accept + # Allow trusted networks to access the router + iifname { + "wan", # disable when final + "lan", + "wg_cloonar" + } counter accept - # Accept mDNS for avahi reflection - # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept - # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept + # Allow networks to access the dns and dhcp + iifname { + "lan", + "vb-*", + "podman0", + "infrastructure", + "wg_cloonar", + "smart", + "multimedia" + } udp dport { 53, 67, 68 } counter accept + iifname { + "lan", + "podman0", + "vb-*", + "infrastructure", + "wg_cloonar", + "smart", + "multimedia" + } tcp dport { 80, 443, 853 } counter accept - # Allow returning traffic from wg_cloonar and drop everthing else - iifname "wg_cloonar" ct state { established, related } counter accept - iifname "wg_cloonar" drop + # Accept mDNS for avahi reflection + # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept + # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept - iifname "wan" ct state { established, related } accept comment "Allow established traffic" - iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" - iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" - } + # Allow returning traffic from wg_cloonar and drop everthing else + iifname "wg_cloonar" ct state { established, related } counter accept + iifname "wg_cloonar" drop - chain forward { - type filter hook forward priority filter; policy drop; + iifname "wan" ct state { established, related } accept comment "Allow established traffic" + iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + } - # enable flow offloading for better throughput - # ip protocol { tcp, udp } flow offload @f + chain forward { + type filter hook forward priority filter; policy drop; - # multimedia airplay - iifname "multimedia" oifname { "lan" } counter accept + # enable flow offloading for better throughput + # ip protocol { tcp, udp } flow offload @f - # lan and vpn to any - # TODO: disable wan when finished - iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept - iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept + # multimedia airplay + iifname "multimedia" oifname { "lan" } counter accept - # Allow trusted network WAN access - iifname { - "lan", - "infrastructure", - "vb-*", - "podman0", - "multimedia", - "smart", - "wg_cloonar", - } oifname { - "wan", - } counter accept comment "Allow trusted LAN to WAN" - } - ''; - }; - "cloonar-nat" = { - family = "ip"; - content = '' - chain prerouting { - type nat hook prerouting priority filter; policy accept; - } + # lan and vpn to any + # TODO: disable wan when finished + iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept + iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept - # Setup NAT masquerading on external interfaces - chain postrouting { - type nat hook postrouting priority filter; policy accept; - oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" - } - ''; - }; - }; + # Allow trusted network WAN access + iifname { + "lan", + "infrastructure", + "vb-*", + "podman0", + "multimedia", + "smart", + "wg_cloonar", + } oifname { + "wan", + } counter accept comment "Allow trusted LAN to WAN" + } + } + + table ip nat { + chain prerouting { + type nat hook prerouting priority filter; policy accept; + } + + # Setup NAT masquerading on external interfaces + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade + # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" + } + } + ''; }; }; }