router: move most configuration into modules with options

2025-06-04 21:09:31 -07:00
parent a3f351cf38
commit 47c9cff8f5
16 changed files with 197 additions and 108 deletions
--- a/modules/router/firewall.nix
+++ b/modules/router/firewall.nix
@@ -0,0 +1,221 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix config;
+  links = vars.links;
+  ifs = vars.ifs;
+  pdFromWan = vars.pdFromWan;
+  nftIdentifiers = ''
+    define ZONE_WAN_IFS = { ${ifs.wan.name} }
+    define ZONE_LAN_IFS = {
+        ${ifs.lan.name},
+        ${ifs.lan10.name},
+        ${ifs.lan20.name},
+        ${ifs.lan30.name},
+        ${ifs.lan40.name},
+        ${ifs.lan50.name},
+        ${ifs.wg0.name},
+    }
+    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
+    define ZONE_LAN_EXTRA_NET6 = {
+        # TODO: reevaluate this statement
+        ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
+        $OPNSENSE_NET6,
+    }
+    define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
+    define CLOUDFLARE_NET6 = {
+        # https://www.cloudflare.com/ips-v6
+        # TODO: figure out a better way to get addrs dynamically from url
+        # perhaps building a nixos module/package that fetches the ips?
+        2400:cb00::/32,
+        2606:4700::/32,
+        2803:f800::/32,
+        2405:b500::/32,
+        2405:8100::/32,
+        2a06:98c0::/29,
+        2c0f:f248::/32,
+    }
+  '';
+in
+{
+  networking.firewall.enable = false;
+  networking.nftables.enable = true;
+  # networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
+  networking.nftables.tables.nat4 = {
+    family = "ip";
+    content = ''
+      ${nftIdentifiers}
+      map port_forward {
+          type inet_proto . inet_service : ipv4_addr . inet_service
+          elements = {
+              tcp . 8006 : ${ifs.lan50.p4}.10 . 8006,
+              # opnsense vpn endpoints
+              # the plan is to maybe eventually move these to nixos
+              udp . 18596 : ${vars.extra.opnsense.addr4} . 18596,
+              udp . 48512 : ${vars.extra.opnsense.addr4} . 48512,
+              udp . 40993 : ${vars.extra.opnsense.addr4} . 40993,
+              udp . 45608 : ${vars.extra.opnsense.addr4} . 45608,
+              udp . 35848 : ${vars.extra.opnsense.addr4} . 35848,
+              udp . 48425 : ${vars.extra.opnsense.addr4} . 48425,
+          }
+      }
+
+      chain prerouting {
+          # Initial step, accept by default
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Port forwarding
+          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
+      }
+
+      chain postrouting {
+          # Last step, accept by default
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Masquerade LAN addrs
+          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
+      }
+    '';
+  };
+
+  # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
+  networking.nftables.tables.nat6 = {
+    family = "ip6";
+    enable = false;
+    content = ''
+      ${nftIdentifiers}
+      chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
+      }
+    '';
+  };
+
+  networking.nftables.tables.firewall = {
+    family = "inet";
+    content = ''
+      ${nftIdentifiers}
+      define ALLOWED_TCP_PORTS = { ssh }
+      define ALLOWED_UDP_PORTS = { ${toString vars.ifs.wg0.listenPort} }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
+      set port_forward_v6 {
+          type inet_proto . ipv6_addr . inet_service
+          elements = {
+              # syncthing on alpina
+              tcp . ${ifs.lan.p6}::11:1 . 22000 ,
+              udp . ${ifs.lan.p6}::11:1 . 22000 ,
+          }
+      }
+      set cloudflare_forward_v6 {
+          type ipv6_addr
+          elements = {
+              ${ifs.lan.p6}::11:1,
+          }
+      }
+
+      chain input {
+          type filter hook input priority filter; policy drop;
+
+          # Drop router adverts from self
+          # peculiarity due to wan and lan20 being bridged
+          # TODO: figure out a less jank way to do this
+          iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self radvt: " drop
+          # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} ip6 nexthdr icmpv6 log prefix "self icmpv6: " drop
+          # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log prefix "self llv6: " drop
+          # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log drop
+          # iifname $ZONE_LAN_IFS ip6 saddr ${links.wanLL} log drop
+
+          # Allow established and related connections
+          # All icmp stuff should (theoretically) be handled by ct related
+          # https://serverfault.com/a/632363
+          ct state established,related accept
+
+          # However, that doesn't happen for router advertisements from what I can tell
+          # TODO: more testing
+          # Allow ICMPv6 on local addrs
+          ip6 nexthdr icmpv6 ip6 saddr { fe80::/10, ${pdFromWan}0::/60 } accept
+          ip6 nexthdr icmpv6 ip6 daddr fe80::/10 accept # TODO: not sure if necessary
+
+          # Allow all traffic from loopback interface
+          iif lo accept
+
+          # Allow DHCPv6 traffic
+          # I thought dhcpv6-client traffic would be accepted by established/related,
+          # but apparently not.
+          ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
+
+          # Global input rules
+          tcp dport $ALLOWED_TCP_PORTS accept
+          udp dport $ALLOWED_UDP_PORTS accept
+
+          # WAN zone input rules
+          iifname $ZONE_WAN_IFS jump zone_wan_input
+          # LAN zone input rules
+          # iifname $ZONE_LAN_IFS accept
+          iifname $ZONE_LAN_IFS jump zone_lan_input
+          ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
+
+          # log
+      }
+
+      chain forward {
+          type filter hook forward priority filter; policy drop;
+
+          # Allow established and related connections
+          ct state established,related accept
+
+          # WAN zone forward rules
+          iifname $ZONE_WAN_IFS jump zone_wan_forward
+          # LAN zone forward rules
+          iifname $ZONE_LAN_IFS jump zone_lan_forward
+          ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_forward
+      }
+
+      chain zone_wan_input {
+          # Allow specific stuff from WAN
+      }
+
+      chain zone_wan_forward {
+          # Port forwarding
+          ct status dnat accept
+
+          # Allowed IPv6 ports
+          meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
+
+          # Allowed IPv6 from cloudflare
+          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept
+      }
+
+      chain zone_lan_input {
+          # Allow all ICMPv6 from LAN
+          ip6 nexthdr icmpv6 accept
+
+          # Allow all ICMP from LAN
+          ip protocol icmp accept
+
+          # Allow specific services from LAN
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
+      }
+
+      chain zone_lan_forward {
+          # Allow port forwarded targets
+          # ct status dnat accept
+
+          # Allow all traffic from LAN to WAN, except ULAs
+          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 drop  # Not sure if needed
+          oifname $ZONE_WAN_IFS accept;
+
+          # Allow traffic between LANs
+          oifname $ZONE_LAN_IFS accept
+      }
+
+      chain output {
+          # Accept anything out of self by default
+          type filter hook output priority filter; policy accept;
+          # NAT reflection
+          # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
+      }
+    '';
+  };
+}