Enforces VPN connection for transmission daemon

2025-04-12 19:27:17 +00:00 · 2023-11-19 17:55:42 -08:00 · 2023-11-19 17:55:42 -08:00 · c64a86f1a6
commit c64a86f1a6
parent 8dcc08b189
3 changed files with 157 additions and 84 deletions
--- a/nixos/hosts/nixbox.nix
+++ b/nixos/hosts/nixbox.nix
@ -70,8 +70,78 @@
  networking.firewall.allowedTCPPorts = [9091];
  networking.firewall.allowedUDPPorts = [9091];

+  networking.firewall.logRefusedConnections = true;
+  networking.firewall.logRefusedPackets = true;
+
+  networking.nftables.enable = true;
+  networking.nftables.flushRuleset = true;
+
+  networking.nftables.tables."nixos-fw".content = lib.mkForce "";
+
+  networking.firewall.trustedInterfaces = ["zt*"];
+
  swapDevices = [];

+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input {
+        type filter hook input priority 0;
+
+        # accept all localhost and zerotier traffic
+        iifname lo accept
+        iifname "zt*" accept
+
+        # accept traffic sent by us
+        ct state {established, related} accept
+
+        # ICMP
+        # routers may also want: mld-listener-query, nd-router-solicit
+        ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+        # allow "ping"
+        ip protocol icmp icmp type echo-request accept
+
+        # jellyfin
+        tcp dport 8096 accept
+        tcp dport 8920 accept
+        udp dport 1900 accept
+        udp dport 7359 accept
+
+        # transmission web ui
+        tcp dport 9091 accept
+
+        # zerotier
+        udp dport 9993 accept
+        tcp dport 9993 accept
+
+        # ssh
+        tcp dport 22 accept
+
+        # drop all other packets
+        #counter drop
+        accept
+      }
+
+      chain output {
+        type filter hook output priority 0;
+
+        oifname != { "lo", "tun0", "zt*" } skgid 70 counter reject
+
+        # zerotier
+        oifname "zt*" accept
+        udp dport 9993 accept
+        tcp dport 9993 accept
+
+        accept
+      }
+
+      chain forward {
+        type filter hook forward priority 0;
+        accept
+      }
+    }
+  '';
+
  networking.useDHCP = lib.mkDefault true;

  networking.hostName = "nixbox";
--- a/nixos/modules/nordvpn.nix
+++ b/nixos/modules/nordvpn.nix
@ -5,7 +5,7 @@
  globals,
  ...
 }: {
-  services.openvpn.servers.nordp2p.config = ''
+  services.openvpn.servers.nordp2p.config = ''    config ${pkgs.writeText "ovpn-config" ''
      client
      dev tun
      proto udp
@ -92,5 +92,6 @@
      -----END OpenVPN Static key V1-----
      </tls-auth>

+    ''}
  '';
 }
--- a/nixos/profiles/desktop.nix
+++ b/nixos/profiles/desktop.nix
@ -24,6 +24,8 @@

    synaptics.enable = false;

+    displayManager.lightdm.enable = false;
+
    libinput = {
      enable = true;
      touchpad.tapping = true;