72084f1a7e
Now that we have networking working, I can enable the firewall and confirm nothing breaks.
57 lines
1.4 KiB
Nix
57 lines
1.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
{
|
|
imports = [ ];
|
|
|
|
options.me = {
|
|
firewall.enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
example = true;
|
|
description = "Whether we want to install firewall.";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.me.firewall.enable {
|
|
# kernel modules and settings required by Kubernetes
|
|
boot.kernelModules = [
|
|
"overlay"
|
|
"br_netfilter"
|
|
];
|
|
boot.kernel.sysctl = {
|
|
"net.bridge.bridge-nf-call-iptables" = 1;
|
|
"net.bridge.bridge-nf-call-ip6tables" = 1;
|
|
"net.ipv4.ip_forward" = 1;
|
|
|
|
# Enable forwarding on all interfaces.
|
|
# "net.ipv4.conf.all.forwarding" = 1;
|
|
# "net.ipv6.conf.all.forwarding" = 1;
|
|
};
|
|
|
|
networking.firewall.enable = false;
|
|
networking.nftables.enable = true;
|
|
# We want to filter forwarded traffic.
|
|
# Also needed for `networking.firewall.extraForwardRules` to do anything.
|
|
networking.firewall.filterForward = true;
|
|
|
|
networking.firewall.extraInputRules = ''
|
|
ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
|
|
ip6 saddr fd00:3e42:e349::/112 accept
|
|
ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
|
|
'';
|
|
|
|
networking.firewall.extraForwardRules = ''
|
|
ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
|
|
ip6 daddr fd00:3e42:e349::/112 accept
|
|
ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
|
|
'';
|
|
|
|
# Check logs for blocked connections:
|
|
# journalctl -k or dmesg
|
|
};
|
|
}
|