37 lines
800 B
Nix
37 lines
800 B
Nix
{
|
|
# lib,
|
|
# pkgs,
|
|
# config,
|
|
...
|
|
}:
|
|
{
|
|
networking.nftables = {
|
|
enable = true;
|
|
tables = {
|
|
yggSsh = {
|
|
name = "yggSsh";
|
|
family = "inet";
|
|
content = ''
|
|
chain input {
|
|
type filter hook input priority filter; policy accept;
|
|
ct state related,established accept
|
|
|
|
# Restrict ygg0: only allow SSH in
|
|
iifname "ygg0" tcp dport 22 accept
|
|
iifname "ygg0" drop
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter; policy accept;
|
|
# Optional: drop forwarding via ygg0
|
|
iifname "ygg0" drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|