From b3eb86c0a1e46c82139fb67132cb3a282486a10a Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Thu, 9 Jan 2025 22:41:51 +0100
Subject: [PATCH] feat(ISP/firewall): forward filtering

removes the snat filtering of preliminar tests
---
 machines/nixos/vault01/networking.nix | 68 ++++++++++++++++++++++-----
 1 file changed, 55 insertions(+), 13 deletions(-)

diff --git a/machines/nixos/vault01/networking.nix b/machines/nixos/vault01/networking.nix
index 6e26450..de59fe1 100644
--- a/machines/nixos/vault01/networking.nix
+++ b/machines/nixos/vault01/networking.nix
@@ -336,18 +336,58 @@ in
       ] ++ userVlans;
       nftables = {
         enable = true;
-        tables.nat = {
-          family = "ip";
-          content = ''
-            chain postrouting {
-              type nat hook postrouting priority 100;
-              ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.157
-              ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
-              ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
-              ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
-              ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
-            }
-          '';
+        tables = {
+          nat = {
+            family = "ip";
+            content = ''
+              chain postrouting {
+                type nat hook postrouting priority 100;
+                ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
+              }
+            '';
+          };
+          filter = {
+            family = "inet";
+            content = ''
+              chain forward {
+                type filter hook forward priority filter; policy accept;
+                ct state vmap {
+                  invalid: drop,
+                  established: accept,
+                  related: accept,
+                  new: jump forward_decide,
+                  untracked: jump forward_decide,
+                };
+              }
+              chain forward_decide {
+                # Block access to vpn
+                ip daddr {
+                  10.10.17.0/30,
+                  100.80.0.0/16,
+                } jump forward_reject;
+
+                # And administrative vlans
+                ip6 daddr {
+                  fd26:baf9:d250::/48,
+                } jump forward_reject;
+
+                # These are being deployed, and so are not trusted
+                ip saddr 10.0.255.0/24 jump forward_reject;
+
+                # We only forward for ISP clients and our stuff
+                ip saddr != 10.0.0.0/16 jump forward_reject;
+
+                # Can talk to us
+                ip daddr 10.0.0.0/27 accept;
+
+                # Not others nor CRI
+                ip daddr 10.0.0.0/8 jump forward_reject;
+              }
+              chain forward_reject {
+                reject with icmpx type admin-prohibited;
+              }
+            '';
+          };
         };
       };
       firewall = {
@@ -355,7 +395,9 @@ in
           67
           1194
         ];
-        checkReversePath = false;
+        # FIXME: I dont't remember why it's here, and it doesn't seems right
+        # comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5
+        # checkReversePath = false;
       };
     };