Enable the firewall.

2026-04-18 15:49:08 -04:00
parent 01f2927bd4
commit a5e70c5d4e
4 changed files with 94 additions and 18 deletions
--- a/nix/kubernetes/roles/firewall/default.nix
+++ b/nix/kubernetes/roles/firewall/default.nix
@@ -32,23 +32,54 @@
      # "net.ipv6.conf.all.forwarding" = 1;
    };

-    networking.firewall.enable = false;
+    networking.firewall.enable = true;
    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;

-    networking.firewall.extraInputRules = ''
-      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
-      ip6 saddr fd00:3e42:e349::/112 accept
-      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    # Allow traffic from the pods on the lxc interfaces even though the interfaces do not have the correct ip addressses set for the return path.
+    networking.firewall.extraReversePathFilterRules = ''
+      iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      iifname "lxc*" ip saddr 10.200.0.0/16 accept
    '';

-    networking.firewall.extraForwardRules = ''
-      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
-      ip6 daddr fd00:3e42:e349::/112 accept
-      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
-    '';
+    networking.firewall.extraInputRules = builtins.concatStringsSep "\n" [
+      # Allow pod-to-node communication
+      ''
+        ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ''
+    ];
+
+    # networking.firewall.extraInputRules = ''
+    #   ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+    #   ip6 saddr fd00:3e42:e349::/112 accept
+    #   ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    # '';
+
+    networking.firewall.extraForwardRules = builtins.concatStringsSep "\n" [
+      # Allow pod to external communication
+      ''
+        iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+        iifname "lxc*" ip saddr 10.200.0.0/16 accept
+      ''
+      # Allow pod-to-pod communication
+      ''
+        ip saddr 10.200.0.0/16 ip daddr 10.200.0.0/16 accept
+        ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ''
+      # Allow external-to-pod communication
+      ''
+        ip daddr 10.200.0.0/16 accept
+        ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ''
+    ];
+
+    # networking.firewall.extraForwardRules = ''
+    #   ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+    #   ip6 daddr fd00:3e42:e349::/112 accept
+    #   ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    # '';

    # Check logs for blocked connections:
    # journalctl -k or dmesg