From 579b76823077aabd96237caf387fde67348013ce Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Fri, 1 Dec 2023 17:46:47 +0100 Subject: [PATCH] try iptables instead of nftables --- hosts/fw.cloonar.com/modules/firewall.nix | 236 ++++++++++++---------- 1 file changed, 134 insertions(+), 102 deletions(-) diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 33b4942..fe4b251 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -1,115 +1,147 @@ { ... }: { networking = { nat.enable = false; - firewall.enable = false; - nftables = { + firewall = { enable = true; - ruleset = '' - table inet filter { - # enable flow offloading for better throughput - # flowtable f { - # hook ingress priority 0; - # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; - # } + extraCommands = '' + iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -i wan -j ACCEPT + iptables -A INPUT -i lan -j ACCEPT + iptables -A INPUT -i wg_cloonar -j ACCEPT + iptables -A INPUT -p udp -i smart --dports 53,67,68 -j ACCEPT + iptables -A INPUT -p udp -i multimedia --dports 53,67,68 -j ACCEPT + iptables -A INPUT -p tcp -i smart --dports 80,443,453 -j ACCEPT + iptables -A INPUT -p tcp -i multimedia --dports 80,443,453 -j ACCEPT - chain output { - type filter hook output priority 100; policy accept; - } + iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - chain input { - type filter hook input priority filter; policy drop; + iptables -A FORWARD -i wan -d 10.42.0.0/24 -j ACCEPT + iptables -A FORWARD -i lan -d 10.42.0.0/24 -j ACCEPT + iptables -A FORWARD -i wg_cloonar -d 10.42.0.0/24 -j ACCEPT - # accept any localhost traffic - iifname lo accept + iptables -A FORWARD -i lan -o wan -j ACCEPT + iptables -A FORWARD -i server -o wan -j ACCEPT + iptables -A FORWARD -i multimedia -o wan -j ACCEPT + iptables -A FORWARD -i smart -o wan -j ACCEPT + iptables -A FORWARD -i wg_cloonar -o wan -j ACCEPT - # Allow trusted networks to access the router - iifname { - "wan", # disable when final - "lan", - "wg_cloonar" - } counter accept + iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - # Allow networks to access the dns and dhcp - iifname { - "lan", - "server", - "wg_cloonar", - "smart", - "multimedia" - } udp dport { 53, 67, 68 } counter accept - iifname { - "lan", - "server", - "wg_cloonar", - "smart", - "multimedia" - } tcp dport { 80, 443, 853 } counter accept - - # Accept mDNS for avahi reflection - # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept - # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept - - # Allow returning traffic from wg_cloonar and drop everthing else - iifname "wg_cloonar" ct state { established, related } counter accept - iifname "wg_cloonar" drop - - iifname "wan" ct state { established, related } accept comment "Allow established traffic" - iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" - iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" - } - - chain forward { - type filter hook forward priority filter; policy drop; - - # enable flow offloading for better throughput - # ip protocol { tcp, udp } flow offload @f - - # multimedia airplay - iifname "multimedia" oifname { "lan" } counter accept - - # lan and vpn to any - # TODO: disable wan when finished - iifname { "wan", "lan", "wg_cloonar" } oifname { "lan", "server", "podman0", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept - - # Allow trusted network WAN access - iifname { - "lan", - "server", - "podman0", - "multimedia", - "smart", - "wg_cloonar", - } oifname { - "wan", - } counter accept comment "Allow trusted LAN to WAN" - - # Allow established WAN to return - iifname { - "wan", - } oifname { - "lan", - "server", - "podman0", - "multimedia", - "smart", - "wg_cloonar", - } ct state { established, related } counter accept comment "Allow established back to LANs" - } - } - - table ip nat { - chain prerouting { - type nat hook prerouting priority filter; policy accept; - } - - # Setup NAT masquerading on the ppp0 interface - chain postrouting { - type nat hook postrouting priority filter; policy accept; - # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - oifname { "wan" } masquerade - } - } + iptables -t nat -A POSTROUTING -o wan -j MASQUERADE + iptables -t nat -A POSTROUTING -o wrwks -j MASQUERADE + iptables -t nat -A POSTROUTING -o wg_epicenter -j MASQUERADE + iptables -t nat -A POSTROUTING -o wg_ghetto_at -j MASQUERADE ''; }; + + # nftables = { + # enable = true; + # ruleset = '' + # table inet filter { + # # enable flow offloading for better throughput + # # flowtable f { + # # hook ingress priority 0; + # # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; + # # } + # + # chain output { + # type filter hook output priority 100; policy accept; + # } + # + # chain input { + # type filter hook input priority filter; policy drop; + # + # # accept any localhost traffic + # iifname lo accept + # + # # Allow trusted networks to access the router + # iifname { + # "wan", # disable when final + # "lan", + # "wg_cloonar" + # } counter accept + # + # # Allow networks to access the dns and dhcp + # iifname { + # "lan", + # "server", + # "wg_cloonar", + # "smart", + # "multimedia" + # } udp dport { 53, 67, 68 } counter accept + # iifname { + # "lan", + # "server", + # "wg_cloonar", + # "smart", + # "multimedia" + # } tcp dport { 80, 443, 853 } counter accept + # + # # Accept mDNS for avahi reflection + # # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept + # # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept + # + # # Allow returning traffic from wg_cloonar and drop everthing else + # iifname "wg_cloonar" ct state { established, related } counter accept + # iifname "wg_cloonar" drop + # + # iifname "wan" ct state { established, related } accept comment "Allow established traffic" + # iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + # iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + # } + # + # chain forward { + # type filter hook forward priority filter; policy drop; + # + # # enable flow offloading for better throughput + # # ip protocol { tcp, udp } flow offload @f + # + # # multimedia airplay + # iifname "multimedia" oifname { "lan" } counter accept + # + # # lan and vpn to any + # # TODO: disable wan when finished + # iifname { "wan", "lan", "wg_cloonar" } oifname { "lan", "server", "podman0", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept + # + # # Allow trusted network WAN access + # iifname { + # "lan", + # "server", + # "podman0", + # "multimedia", + # "smart", + # "wg_cloonar", + # } oifname { + # "wan", + # } counter accept comment "Allow trusted LAN to WAN" + # + # # Allow established WAN to return + # iifname { + # "wan", + # } oifname { + # "lan", + # "server", + # "podman0", + # "multimedia", + # "smart", + # "wg_cloonar", + # } ct state { established, related } counter accept comment "Allow established back to LANs" + # } + # } + # + # table ip nat { + # chain prerouting { + # type nat hook prerouting priority filter; policy accept; + # } + # + # # Setup NAT masquerading on the ppp0 interface + # chain postrouting { + # type nat hook postrouting priority filter; policy accept; + # # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade + # oifname { "wan" } masquerade + # } + # } + # ''; + # }; }; }