diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2021-03-07 20:34:57 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2021-03-07 20:34:57 -0500 |
| commit | 27136676414d506f26ee0a3e7aa38be545dd64e1 (patch) | |
| tree | 4b05b5bb9b18264129c70bd97ceac68e5c2224fd /modules/simple-firewall.nix | |
| parent | 397d074fa395afdfd02073e81cee5576b742f3b6 (diff) | |
More nftables
Diffstat (limited to 'modules/simple-firewall.nix')
| -rw-r--r-- | modules/simple-firewall.nix | 49 |
1 files changed, 27 insertions, 22 deletions
diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix index eda869a..2585a5d 100644 --- a/modules/simple-firewall.nix +++ b/modules/simple-firewall.nix @@ -30,35 +30,40 @@ in let csvPorts = ports: lib.concatStringsSep "," (map toString ports); in '' - table inet filter { - chain allowed_ports { - ${lib.optionalString (cfg.allowedTCPPorts != []) '' - tcp dport {${csvPorts cfg.allowedTCPPorts}} counter accept - ''} - ${lib.optionalString (cfg.allowedUDPPorts != []) '' - udp dport {${csvPorts cfg.allowedUDPPorts}} counter accept - ''} - } + table inet filter { + set allowed_tcp_ports { + type inet_service + ${lib.optionalString (cfg.allowedTCPPorts != [])'' + elements = {${csvPorts cfg.allowedTCPPorts}} + ''} + } + set allowed_udp_ports { + type inet_service + ${lib.optionalString (cfg.allowedUDPPorts != [])'' + elements = {${csvPorts cfg.allowedUDPPorts}} + ''} + } - chain input { - type filter hook input priority 0 + chain input { + type filter hook input priority 0 - iif lo accept + iif lo accept - ct state {established, related} accept + ct state {established, related} accept - ip protocol icmp limit rate 4/second counter accept - ip6 nexthdr ipv6-icmp limit rate 4/second counter accept + ip protocol icmp limit rate 4/second counter accept + ip6 nexthdr ipv6-icmp limit rate 4/second counter accept - jump allowed_ports + tcp dport @allowed_tcp_ports counter accept + udp dport @allowed_udp_ports counter accept - counter drop - } + counter drop + } - chain output { - type filter hook output priority 0 - counter accept - } + chain output { + type filter hook output priority 0 + counter accept + } } ''; }; |