From 802fcbd47f33761e60a11c4925f320b19bbda42e Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 18 Feb 2024 22:39:34 +0100 Subject: [PATCH] change to firewall and dns --- hosts/fw.cloonar.com/modules/dhcp4.nix | 7 + hosts/fw.cloonar.com/modules/firewall.nix | 384 ++++++--------------- hosts/fw.cloonar.com/modules/unbound.nix | 4 +- hosts/fw.cloonar.com/modules/wireguard.nix | 2 + 4 files changed, 115 insertions(+), 282 deletions(-) diff --git a/hosts/fw.cloonar.com/modules/dhcp4.nix b/hosts/fw.cloonar.com/modules/dhcp4.nix index 9e32d48..ac6edea 100644 --- a/hosts/fw.cloonar.com/modules/dhcp4.nix +++ b/hosts/fw.cloonar.com/modules/dhcp4.nix @@ -167,6 +167,13 @@ data = "10.42.99.1"; } ]; + reservations = [ + { + hw-address = "c4:a7:2b:c7:ea:30"; + ip-address = "10.42.97.10"; + server-hostname = "metz.cloonar.com"; + } + ]; } { pools = [ diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 09206c9..cc8f214 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -2,313 +2,135 @@ networking = { firewall.checkReversePath = false; nat.enable = false; - # nftables = { - # enable = true; - # tables = { - # "cloonar-fw" = { - # family = "inet"; - # content = '' - # chain output { - # type filter hook output priority 100; policy accept; - # } - # - # chain input { - # type filter hook input priority filter; policy drop; - # - # # accept any localhost traffic - # iifname lo accept - # - # # Allow trusted networks to access the router - # iifname { - # "wan", # disable when final - # "lan", - # "wg_cloonar" - # } counter accept - # - # # Allow networks to access the dns and dhcp - # iifname { - # "lan", - # "vb-*", - # "podman0", - # "infrastructure", - # "wg_cloonar", - # "smart", - # "multimedia" - # } udp dport { 53, 67, 68 } counter accept - # iifname { - # "lan", - # "podman0", - # "vb-*", - # "infrastructure", - # "wg_cloonar", - # "smart", - # "multimedia" - # } tcp dport { 80, 443, 853 } counter accept - # - # # Accept mDNS for avahi reflection - # # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept - # # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept - # - # # Allow returning traffic from wg_cloonar and drop everthing else - # iifname "wg_cloonar" ct state { established, related } counter accept - # iifname "wg_cloonar" drop - # - # iifname "wan" ct state { established, related } accept comment "Allow established traffic" - # iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" - # iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" - # } - # - # chain forward { - # type filter hook forward priority filter; policy drop; - # - # # enable flow offloading for better throughput - # # ip protocol { tcp, udp } flow offload @f - # - # # multimedia airplay - # iifname "multimedia" oifname { "lan" } counter accept - # - # # lan and vpn to any - # # TODO: disable wan when finished - # iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept - # iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept - # - # # Allow trusted network WAN access - # iifname { - # "lan", - # "infrastructure", - # "vb-*", - # "podman0", - # "multimedia", - # "smart", - # "wg_cloonar", - # } oifname { - # "wan", - # } counter accept comment "Allow trusted LAN to WAN" - # } - # ''; - # }; - # "cloonar-nat" = { - # family = "ip"; - # content = '' - # chain prerouting { - # type nat hook prerouting priority filter; policy accept; - # } - # - # # Setup NAT masquerading on external interfaces - # chain postrouting { - # type nat hook postrouting priority filter; policy accept; - # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - # # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" - # } - # '' - # }; - # }; - # }; nftables = { enable = true; - ruleset = '' - table inet filter { - # enable flow offloading for better throughput - # flowtable f { - # hook ingress priority 0; - # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; - # } + tables = { + "cloonar-fw" = { + family = "inet"; + content = '' + chain output { + type filter hook output priority 100; policy accept; + } - chain output { - type filter hook output priority 100; policy accept; - } + chain rpfilter { + type filter hook prerouting priority mangle + 10; policy drop; + meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server" + fib saddr . mark . iif oif exists accept + } - chain rpfilter { - type filter hook prerouting priority mangle + 10; policy drop; - meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server" - fib saddr . mark . iif oif exists accept - } + chain input { + type filter hook input priority filter; policy drop; + iifname "lo" accept comment "trusted interfaces" + ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow } + tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info + } - chain input { - type filter hook input priority filter; policy drop; - iifname "lo" accept comment "trusted interfaces" - ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow } - tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info - } + chain input-allow { + udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections" + iifname lo accept + iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" + iifname { "server", "vserver", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" + iifname { "multimedia", "smart" } udp dport { 53, 5353 } counter accept comment "DNS" - chain input-allow { - iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" + # Accept mDNS for avahi reflection + iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept + iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept - iifname "wg_cloonar" counter accept comment "test wireguard" + # Allow all returning traffic + ct state { established, related } counter accept - # drop new connections over rate limit - udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop + # Allow returning traffic from wrwks and drop everthing else + iifname "wrwks" ct state { established, related } counter accept + iifname "wrwks" drop - # accept any localhost traffic - iifname lo accept + # Allow returning traffic from wg_epicenter and drop everthing else + iifname "wg_epicenter" ct state { established, related } counter accept + iifname "wg_epicenter" drop - # Allow trusted networks to access the router - iifname { - "wg_cloonar" - } counter accept - iifname { - "server", - "vserver", - "lan", - } counter accept + # Allow returning traffic from wg_ghetto_at and drop everthing else + iifname "wg_ghetto_at" ct state { established, related } counter accept + iifname "wg_ghetto_at" drop - # Allow networks to access dhcp - iifname { - "lan", - "server", - "vserver", - "infrastructure", - "smart", - "podman*", - "multimedia" - } udp dport { 67, 68 } counter accept + # Allow returning traffic from wan and drop everthing else + iifname "wan" ct state { established, related } accept comment "Allow established traffic" + iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" - # Allow networks to access dns - iifname { - "lan", - "server", - "vserver", - "infrastructure", - "smart", - "podman*", - "multimedia" - } udp dport { 53 } counter accept + limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic" + } + chain forward { + type filter hook forward priority filter; policy drop; - # allow audio system to access snapserver - iifname { - "server", - "smart", - "multimedia" - } tcp dport { 1704, 1705 } counter accept - # allow airplay access - iifname "lan" tcp dport { 5000, 5353 } counter accept - iifname "lan" udp dport { 5000, 5353, 6001 - 6011 } counter accept + iifname "wg_cloonar" counter accept comment "test wireguard" - # Accept mDNS for avahi reflection - iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept - iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept + iifname "wg_cloonar" oifname lo counter accept comment "wireguard to server" - # accept palword server - iifname { "wan", "lan" } udp dport { 8211, 27015 } counter accept + # enable flow offloading for better throughput + # ip protocol { tcp, udp } flow offload @f - # Allow all returning traffic - ct state { established, related } counter accept + # multimedia airplay + iifname "multimedia" oifname { "lan" } counter accept + iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept + iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept + # avahi + iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept - # Allow returning traffic from wrwks and drop everthing else - iifname "wrwks" ct state { established, related } counter accept - iifname "wrwks" drop + # smart home coap + iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept - # Allow returning traffic from wg_epicenter and drop everthing else - iifname "wg_epicenter" ct state { established, related } counter accept - iifname "wg_epicenter" drop + # Forward to git server + oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept - # Allow returning traffic from wg_ghetto_at and drop everthing else - iifname "wg_ghetto_at" ct state { established, related } counter accept - iifname "wg_ghetto_at" drop + # lan and vpn to any + # TODO: disable wan when finished + iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept + iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept + iifname { "infrastructure" } oifname { "server", "vserver" } counter accept - # Allow returning traffic from wan and drop everthing else - iifname "wan" ct state { established, related } accept comment "Allow established traffic" - iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" - iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + # accept palword server + iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept - limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic" - } + # allow all established, related + ct state { established, related } accept comment "Allow established traffic" - chain forward { - type filter hook forward priority filter; policy drop; + # Allow trusted network WAN access + iifname { + "lan", + "infrastructure", + "server", + "vserver", + "multimedia", + "smart", + "wg_cloonar", + "podman*", + "guest", + "vb-*", + } oifname { + "wan", + } counter accept comment "Allow trusted LAN to WAN" - iifname "wg_cloonar" counter accept comment "test wireguard" + limit rate 60/minute burst 100 packets log prefix "Forward - Drop: " comment "Log any unmatched traffic" + } + ''; + }; + "cloonar-nat" = { + family = "ip"; + content = '' + chain prerouting { + type nat hook prerouting priority filter; policy accept; + iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50 + } - iifname "wg_cloonar" oifname lo counter accept comment "wireguard to server" - - # enable flow offloading for better throughput - # ip protocol { tcp, udp } flow offload @f - - # multimedia airplay - iifname "multimedia" oifname { "lan" } counter accept - iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept - iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept - # avahi - iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept - - # smart home coap - iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept - - # Forward to git server - oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept - - # lan and vpn to any - # TODO: disable wan when finished - iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept - iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept - iifname { "infrastructure" } oifname { "server", "vserver" } counter accept - - # accept palword server - iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept - - # allow all established, related - ct state { established, related } accept comment "Allow established traffic" - - # Allow trusted network WAN access - iifname { - "lan", - "infrastructure", - "server", - "vserver", - "multimedia", - "smart", - "wg_cloonar", - "podman*", - "guest", - "vb-*", - "ve-*", - } oifname { - "wan", - } counter accept comment "Allow trusted LAN to WAN" - - limit rate 60/minute burst 100 packets log prefix "Forward - Drop: " comment "Log any unmatched traffic" - } - } - - table ip nat { - chain prerouting { - type nat hook prerouting priority filter; policy accept; - iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50 - } - - # Setup NAT masquerading on external interfaces - chain postrouting { - type nat hook postrouting priority filter; policy accept; - oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - ip daddr 10.42.97.50 masquerade - } - } - ''; - }; - }; - - systemd.services.nftables-fix = { - description = "Delete nixos-fw table"; - after = [ "nftables.service" ]; - - serviceConfig = let - fixScript = pkgs.writeTextFile { - name = "nftables-fix"; - executable = true; - text = '' - #! ${pkgs.nftables}/bin/nft -f - delete table inet nixos-fw - ''; + # Setup NAT masquerading on external interfaces + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade + ip daddr 10.42.97.50 masquerade + } + ''; + }; }; - in { - Name = "nftables-fix"; - PartOf = "nftables.service"; - Type = "oneshot"; - ExecStart= [ fixScript ]; - StateDirectory = "nftables"; }; }; - - } diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix index da6a417..401a91a 100644 --- a/hosts/fw.cloonar.com/modules/unbound.nix +++ b/hosts/fw.cloonar.com/modules/unbound.nix @@ -73,7 +73,7 @@ let "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\"" "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" - "\"metz.cloonar.com IN A 10.42.96.167\"" + "\"metz.cloonar.com IN A 10.42.99.10\"" "\"firetv-living.cloonar.com IN A 10.42.96.175\"" "\"ps5-living.cloonar.com IN A 10.42.96.176\"" @@ -220,4 +220,6 @@ in { partOf = [ "unbound.service" ]; wantedBy = [ "multi-user.target" ]; }; + + networking.firewall.allowedUDPPorts = [ 53 5353 ]; } diff --git a/hosts/fw.cloonar.com/modules/wireguard.nix b/hosts/fw.cloonar.com/modules/wireguard.nix index 0935151..8420bc4 100644 --- a/hosts/fw.cloonar.com/modules/wireguard.nix +++ b/hosts/fw.cloonar.com/modules/wireguard.nix @@ -48,4 +48,6 @@ ]; }; }; + + networking.firewall.allowedUDPPorts = [ 51820 ]; }