diff --git a/hosts/sobotka/default.nix b/hosts/sobotka/default.nix index 1b26e2cf..dcd37af4 100644 --- a/hosts/sobotka/default.nix +++ b/hosts/sobotka/default.nix @@ -47,32 +47,47 @@ in { nftables.tables = { filter = { family = "inet"; - chains.input.rules = [ - { - match = "ip saddr 127.0.0.1 tcp dport 8112"; - action = "accept"; + content = '' + table inet filter { + chain input { + type filter hook input priority 0; + + # Accept localhost traffic + iifname lo accept + + # Accept established/related traffic + ct state { established, related } accept + + # Allow ICMP (ping etc.) + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # Allow SSH + tcp dport 22 accept + + # --- Custom rules for Deluge --- + ip saddr 192.168.88.0/24 tcp dport 8112 accept + ip saddr 192.168.88.0/24 udp dport { 58846, 6881 } accept + + # Drop other external access to these ports + tcp dport 8112 drop + udp dport { 58846, 6881 } drop + + # Default deny + counter drop + } + + chain forward { + type filter hook forward priority 0; + accept + } + + chain output { + type filter hook output priority 0; + accept + } } - { - match = "ip saddr 192.168.88.0/24 tcp dport 8112"; - action = "accept"; - } - { - match = "ip saddr 127.0.0.1 udp dport { 58846, 6881 }"; - action = "accept"; - } - { - match = "ip saddr 192.168.88.0/24 udp dport { 58846, 6881 }"; - action = "accept"; - } - { - match = "tcp dport 8112"; - action = "drop"; - } - { - match = "udp dport { 58846, 6881 }"; - action = "drop"; - } - ]; + ''; }; }; };