diff options
| author | Mark Nipper <nipsy@bitgnome.net> | 2025-09-22 19:04:06 -0700 |
|---|---|---|
| committer | Mark Nipper <nipsy@bitgnome.net> | 2025-09-22 19:04:06 -0700 |
| commit | dd49ff9375dc0d24ea079047990433d360920ee5 (patch) | |
| tree | 725425ee7dcac8ab31812bc25790ffa583998964 | |
| parent | 02952de4eec3b65d2612925e1ce168ed2dc5db45 (diff) | |
| download | nix-dd49ff9375dc0d24ea079047990433d360920ee5.tar nix-dd49ff9375dc0d24ea079047990433d360920ee5.tar.gz nix-dd49ff9375dc0d24ea079047990433d360920ee5.tar.bz2 nix-dd49ff9375dc0d24ea079047990433d360920ee5.tar.lz nix-dd49ff9375dc0d24ea079047990433d360920ee5.tar.xz nix-dd49ff9375dc0d24ea079047990433d360920ee5.tar.zst nix-dd49ff9375dc0d24ea079047990433d360920ee5.zip | |
Add VPN firewall rule @arrakis
| -rw-r--r-- | hosts/arrakis/default.nix | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index c5b1f89..6613c67 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -27,53 +27,57 @@ environment.etc."nftables-vpn.conf".text = '' # VPN firewall - + flush ruleset - + table inet filter { chain input { type filter hook input priority filter; policy drop; - + # established/related connections ct state established,related accept - + # invalid connections ct state invalid drop - + # loopback interface iif lo accept - + # ICMP (routers may also want: mld-listener-query, nd-router-solicit) #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept - + # services iif veth.vpn tcp dport 8080 accept # qBittorrent iif veth.vpn tcp dport 9696 accept # Prowlarr iifname wg1 tcp dport { 49152-65535 } accept # Transmission + + # drop everything else + tcp flags & (fin | syn | rst | ack) == syn log prefix "refused connection: " level info + counter drop } chain output { type filter hook output priority filter; policy drop; - + # explicitly allow my DNS traffic without VPN skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept skuid nipsy ip daddr 192.168.1.1 udp dport domain accept - + # explicitly allow my traffic without VPN oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent - + # allow any traffic out through VPN oifname wg1 accept - - # drop everything else - tcp flags & (fin | syn | rst | ack) == syn log prefix "refused connection: " level info + + # drop everything else + tcp flags & (fin | syn | rst | ack) == syn log prefix "refused connection: " level info counter drop } - + chain forward { type filter hook forward priority filter; policy drop; } |