From 9fe8c3877294a8f6700e8be64a5e8220be962f21 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Fri, 1 Dec 2023 23:38:45 +0100 Subject: [PATCH] try again with nftables --- hosts/fw.cloonar.com/modules/firewall.nix | 280 +++++++++++----------- 1 file changed, 143 insertions(+), 137 deletions(-) diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index d864bbc..e6db3bd 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -1,150 +1,156 @@ { ... }: { networking = { - nat.enable = true; + nat.enable = false; + firewall.enable = false; firewall = { - enable = true; - extraCommands = '' - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -i wan -j ACCEPT - iptables -A INPUT -i lan -j ACCEPT - iptables -A INPUT -i wg_cloonar -j ACCEPT - iptables -A INPUT -p udp -i smart -m multiport --dports 53,67,68 -j ACCEPT - iptables -A INPUT -p udp -i multimedia -m multiport --dports 53,67,68 -j ACCEPT - iptables -A INPUT -p udp -i podman0 -m multiport --dports 53,67,68 -j ACCEPT - iptables -A INPUT -p tcp -i smart -m multiport --dports 80,443,453 -j ACCEPT - iptables -A INPUT -p tcp -i multimedia -m multiport --dports 80,443,453 -j ACCEPT - iptables -A INPUT -p tcp -i podman0 -m multiport --dports 80,443,453 -j ACCEPT - - iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - iptables -A FORWARD -i wan -d 10.42.0.0/16 -j ACCEPT - iptables -A FORWARD -i lan -d 10.42.0.0/16 -j ACCEPT - iptables -A FORWARD -i podman0 -d 10.42.0.0/16 -j ACCEPT - iptables -A FORWARD -i wg_cloonar -d 10.42.0.0/16 -j ACCEPT - - iptables -A FORWARD -i lan -o wan -j ACCEPT - iptables -A FORWARD -i podman0 -o wan -j ACCEPT - iptables -A FORWARD -i multimedia -o wan -j ACCEPT - iptables -A FORWARD -i smart -o wan -j ACCEPT - iptables -A FORWARD -i wg_cloonar -o wan -j ACCEPT - - iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - iptables -t nat -A POSTROUTING -o wan -j MASQUERADE - iptables -t nat -A POSTROUTING -o wrwks -j MASQUERADE - iptables -t nat -A POSTROUTING -o wg_epicenter -j MASQUERADE - iptables -t nat -A POSTROUTING -o wg_ghetto_at -j MASQUERADE - ''; - }; - - # nftables = { # enable = true; - # ruleset = '' - # table inet filter { - # # enable flow offloading for better throughput - # # flowtable f { - # # hook ingress priority 0; - # # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; - # # } + # extraCommands = '' + # iptables -A INPUT -i lo -j ACCEPT + # iptables -A INPUT -i wan -j ACCEPT + # iptables -A INPUT -i lan -j ACCEPT + # iptables -A INPUT -i wg_cloonar -j ACCEPT + # iptables -A INPUT -p udp -i infrastructure -m multiport --dports 53,67,68 -j ACCEPT + # iptables -A INPUT -p udp -i smart -m multiport --dports 53,67,68 -j ACCEPT + # iptables -A INPUT -p udp -i multimedia -m multiport --dports 53,67,68 -j ACCEPT + # iptables -A INPUT -p udp -i podman0 -m multiport --dports 53,67,68 -j ACCEPT + # iptables -A INPUT -p tcp -i infrastructure -m multiport --dports 80,443,453 -j ACCEPT + # iptables -A INPUT -p tcp -i smart -m multiport --dports 80,443,453 -j ACCEPT + # iptables -A INPUT -p tcp -i multimedia -m multiport --dports 80,443,453 -j ACCEPT + # iptables -A INPUT -p tcp -i podman0 -m multiport --dports 80,443,453 -j ACCEPT # - # chain output { - # type filter hook output priority 100; policy accept; - # } + # iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # - # chain input { - # type filter hook input priority filter; policy drop; + # iptables -A FORWARD -i wan -d 10.42.0.0/16 -j ACCEPT + # iptables -A FORWARD -i lan -d 10.42.0.0/16 -j ACCEPT + # iptables -A FORWARD -i podman0 -d 10.42.0.0/16 -j ACCEPT + # iptables -A FORWARD -i wg_cloonar -d 10.42.0.0/16 -j ACCEPT # - # # accept any localhost traffic - # iifname lo accept + # iptables -A FORWARD -i lan -o wan -j ACCEPT + # iptables -A FORWARD -i infrastructure -o wan -j ACCEPT + # iptables -A FORWARD -i podman0 -o wan -j ACCEPT + # iptables -A FORWARD -i multimedia -o wan -j ACCEPT + # iptables -A FORWARD -i smart -o wan -j ACCEPT + # iptables -A FORWARD -i wg_cloonar -o wan -j ACCEPT # - # # Allow trusted networks to access the router - # iifname { - # "wan", # disable when final - # "lan", - # "wg_cloonar" - # } counter accept + # iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # - # # Allow networks to access the dns and dhcp - # iifname { - # "lan", - # "server", - # "wg_cloonar", - # "smart", - # "multimedia" - # } udp dport { 53, 67, 68 } counter accept - # iifname { - # "lan", - # "server", - # "wg_cloonar", - # "smart", - # "multimedia" - # } tcp dport { 80, 443, 853 } counter accept - # - # # Accept mDNS for avahi reflection - # # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept - # # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept - # - # # Allow returning traffic from wg_cloonar and drop everthing else - # iifname "wg_cloonar" ct state { established, related } counter accept - # iifname "wg_cloonar" drop - # - # iifname "wan" ct state { established, related } accept comment "Allow established traffic" - # iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" - # iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" - # } - # - # chain forward { - # type filter hook forward priority filter; policy drop; - # - # # enable flow offloading for better throughput - # # ip protocol { tcp, udp } flow offload @f - # - # # multimedia airplay - # iifname "multimedia" oifname { "lan" } counter accept - # - # # lan and vpn to any - # # TODO: disable wan when finished - # iifname { "wan", "lan", "wg_cloonar" } oifname { "lan", "server", "podman0", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept - # - # # Allow trusted network WAN access - # iifname { - # "lan", - # "server", - # "podman0", - # "multimedia", - # "smart", - # "wg_cloonar", - # } oifname { - # "wan", - # } counter accept comment "Allow trusted LAN to WAN" - # - # # Allow established WAN to return - # iifname { - # "wan", - # } oifname { - # "lan", - # "server", - # "podman0", - # "multimedia", - # "smart", - # "wg_cloonar", - # } ct state { established, related } counter accept comment "Allow established back to LANs" - # } - # } - # - # table ip nat { - # chain prerouting { - # type nat hook prerouting priority filter; policy accept; - # } - # - # # Setup NAT masquerading on the ppp0 interface - # chain postrouting { - # type nat hook postrouting priority filter; policy accept; - # # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - # oifname { "wan" } masquerade - # } - # } + # iptables -t nat -A POSTROUTING -o wan -j MASQUERADE + # iptables -t nat -A POSTROUTING -o wrwks -j MASQUERADE + # iptables -t nat -A POSTROUTING -o wg_epicenter -j MASQUERADE + # iptables -t nat -A POSTROUTING -o wg_ghetto_at -j MASQUERADE # ''; # }; + + nftables = { + enable = true; + ruleset = '' + table inet filter { + # enable flow offloading for better throughput + # flowtable f { + # hook ingress priority 0; + # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; + # } + + chain output { + type filter hook output priority 100; policy accept; + } + + chain input { + type filter hook input priority filter; policy drop; + + # accept any localhost traffic + iifname lo accept + + # Allow trusted networks to access the router + iifname { + "wan", # disable when final + "lan", + "wg_cloonar" + } counter accept + + # Allow networks to access the dns and dhcp + iifname { + "lan", + "podman0", + "infrastructure", + "wg_cloonar", + "smart", + "multimedia" + } udp dport { 53, 67, 68 } counter accept + iifname { + "lan", + "podman0", + "infrastructure", + "wg_cloonar", + "smart", + "multimedia" + } tcp dport { 80, 443, 853 } counter accept + + # Accept mDNS for avahi reflection + # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept + # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept + + # Allow returning traffic from wg_cloonar and drop everthing else + iifname "wg_cloonar" ct state { established, related } counter accept + iifname "wg_cloonar" drop + + iifname "wan" ct state { established, related } accept comment "Allow established traffic" + iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" + } + + chain forward { + type filter hook forward priority filter; policy drop; + + # enable flow offloading for better throughput + # ip protocol { tcp, udp } flow offload @f + + # multimedia airplay + iifname "multimedia" oifname { "lan" } counter accept + + # lan and vpn to any + # TODO: disable wan when finished + iifname { "wan", "lan", "wg_cloonar" } oifname { "lan", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept + + # Allow trusted network WAN access + iifname { + "lan", + "infrastructure", + "podman0", + "multimedia", + "smart", + "wg_cloonar", + } oifname { + "wan", + } counter accept comment "Allow trusted LAN to WAN" + + # Allow established WAN to return + iifname { + "wan", + } oifname { + "lan", + "infrastructure", + "podman0", + "multimedia", + "smart", + "wg_cloonar", + } ct state { established, related } counter accept comment "Allow established back to LANs" + } + } + + table ip nat { + chain prerouting { + type nat hook prerouting priority filter; policy accept; + } + + # Setup NAT masquerading on the ppp0 interface + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade + # oifname { "wan" } masquerade + } + } + ''; + }; }; }