commit da5a14b65de5c3f4f2284253e48a5862e3445cfc
parent 72ff15517c4652c7e879f87a7fddbb2e569cc8ba
Author: Luke Willis <lukejw@monastech.xyz>
Date: Wed, 6 May 2026 15:45:40 -0400
andrew: Add firewall using nftables-service-type
Diffstat:
1 file changed, 50 insertions(+), 2 deletions(-)
diff --git a/mt/system/andrew.scm b/mt/system/andrew.scm
@@ -7,6 +7,7 @@
#:use-module (gnu bootloader grub)
#:use-module (gnu services)
#:use-module (gnu services certbot)
+ #:use-module (gnu services networking)
#:use-module (gnu services version-control)
#:use-module (gnu services shepherd)
#:use-module (gnu services web)
@@ -272,6 +273,50 @@
Welcome to \"andrew\" the, first MonasTech server.
")
+(define %nftables-ruleset
+ (plain-file "nftables.conf" "\
+# A simple and safe firewall
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+
+ # early drop of invalid connections
+ ct state invalid drop
+
+ # allow established/related connections
+ ct state { established, related } accept
+
+ # allow from loopback
+ iif lo accept
+ # drop connections to lo not coming from lo
+ iif != lo ip daddr 127.0.0.1/8 drop
+ iif != lo ip6 daddr ::1/128 drop
+
+ # allow icmp
+ ip protocol icmp accept
+ ip6 nexthdr icmpv6 accept
+
+ # allow ssh
+ tcp dport ssh accept
+
+ # allow ngninx
+ tcp dport { 80, 443 } accept
+
+ # allow minecraft / voice chat
+ th dport { 25565, 24454 } accept
+
+ # reject everything else
+ reject with icmpx type port-unreachable
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}
+"))
+
(define andrew-os
(operating-system
(host-name "andrew")
@@ -312,12 +357,15 @@ Welcome to \"andrew\" the, first MonasTech server.
(services
(append
- (list (service minecraft-service-type
+ (list (service nftables-service-type
+ (nftables-configuration
+ (ruleset %nftables-ruleset)))
+ (service minecraft-service-type
(minecraft-configuration
(properties `(("motd" . "MonasTech Private Server")
("difficulty" . "hard")
("white-list" . "true")
- ("enforce-whitelist" . "true")
+ ("spawn-protection" . "0")
("enforce-secure-profile" . "false")))
(mods (list
;; Fabric API
