From 27136676414d506f26ee0a3e7aa38be545dd64e1 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Sun, 7 Mar 2021 20:34:57 -0500 Subject: More nftables --- modules/simple-firewall.nix | 49 +++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 22 deletions(-) (limited to 'modules/simple-firewall.nix') diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix index eda869a..2585a5d 100644 --- a/modules/simple-firewall.nix +++ b/modules/simple-firewall.nix @@ -30,35 +30,40 @@ in let csvPorts = ports: lib.concatStringsSep "," (map toString ports); in '' - table inet filter { - chain allowed_ports { - ${lib.optionalString (cfg.allowedTCPPorts != []) '' - tcp dport {${csvPorts cfg.allowedTCPPorts}} counter accept - ''} - ${lib.optionalString (cfg.allowedUDPPorts != []) '' - udp dport {${csvPorts cfg.allowedUDPPorts}} counter accept - ''} - } + table inet filter { + set allowed_tcp_ports { + type inet_service + ${lib.optionalString (cfg.allowedTCPPorts != [])'' + elements = {${csvPorts cfg.allowedTCPPorts}} + ''} + } + set allowed_udp_ports { + type inet_service + ${lib.optionalString (cfg.allowedUDPPorts != [])'' + elements = {${csvPorts cfg.allowedUDPPorts}} + ''} + } - chain input { - type filter hook input priority 0 + chain input { + type filter hook input priority 0 - iif lo accept + iif lo accept - ct state {established, related} accept + ct state {established, related} accept - ip protocol icmp limit rate 4/second counter accept - ip6 nexthdr ipv6-icmp limit rate 4/second counter accept + ip protocol icmp limit rate 4/second counter accept + ip6 nexthdr ipv6-icmp limit rate 4/second counter accept - jump allowed_ports + tcp dport @allowed_tcp_ports counter accept + udp dport @allowed_udp_ports counter accept - counter drop - } + counter drop + } - chain output { - type filter hook output priority 0 - counter accept - } + chain output { + type filter hook output priority 0 + counter accept + } } ''; }; -- cgit v1.2.3