nftables: add libvirt rules for NAT

home/.config/doom/config.el

@@ -363,6 +363,8 @@
   :after eshell
   :hook (eshell-banner-load . eshell-info-banner-update-banner))
 
+;; (buffer-expose-mode 1)
+
 ;; Here are some additional functions/macros that could help you configure Doom:
 ;;
 ;; - `load!' for loading external *.el files relative to this one

home/.config/doom/packages.el

@@ -71,6 +71,7 @@
 (package! eshell-info-banner
   :recipe (:host github :repo "Phundrak/eshell-info-banner.el"))
 (package! org-tree-slide)
+;;(package! buffer-expose)
 ;;(package! gemini-mode)
 ;;(package! page-break-lines)
 ;;(package! vlf)

setup/zkc.sh

@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+# You need sqlite-devel
+git clone https://git.sr.ht/~fancycade/zkc
+cd zkc
+meson build --prefix=$HOME/.local
+ninja -C build install
+
+cd ..

system/etc/nftables.conf

@@ -1,11 +1,15 @@
 #!/sbin/nft -f
 
-# References
+# References:
+# https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
 # https://wiki.gentoo.org/wiki/Nftables/Examples
 # https://wiki.archlinux.org/title/Nftables
 # https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
 # https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
 
+# Libvirt:
+# https://libvirt.org/firewall.html
+
 flush ruleset
 
 # TCP ports to accept (both IPv4 and IPv6)
@@ -15,17 +19,42 @@ flush ruleset
 #define ACCEPT_UDP_PORTS = {}
 
 table inet filter {
+	chain libvirt_input {
+		iifname "virbr0" udp dport 53 counter accept
+		iifname "virbr0" tcp dport 53 counter accept
+		iifname "virbr0" udp dport 67 counter accept
+		iifname "virbr0" tcp dport 67 counter accept
+	}
+
+	chain libvirt_forward {
+		oifname "virbr0" ip daddr 192.168.122.0/24 ct state { established, related } counter accept
+		iifname "virbr0" ip saddr 192.168.122.0/24 counter accept
+		iifname "virbr0" oifname "virbr0" counter accept
+		oifname "virbr0" counter reject with icmpx type port-unreachable
+		iifname "virbr0" counter reject with icmpx type port-unreachable
+	}
+
+	chain libvirt_postrouting {
+		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
+	}
+
 	# Default to drop all inbound traffic, unless they meet our criteria
 	chain input {
 		type filter hook input priority 0; policy drop;
 
 		ct state invalid counter drop
-		ct state {established,related} counter accept
+		ct state { established, related } counter accept
+		ct status dnat accept
 
 		iif lo accept
 		iif != lo ip daddr 127.0.0.1/8 counter drop
 		iif != lo ip6 daddr ::1/128 counter drop
 
+		counter jump libvirt_input
+
+		# Reject AUTH to make it fail fast
+		tcp dport 113 reject with icmpx type port-unreachable
+
 		# Accept user-defined ports
 		#tcp dport $ACCEPT_TCP_PORTS counter accept
 		#udp dport $ACCEPT_UDP_PORTS counter accept
@@ -34,9 +63,10 @@ table inet filter {
 		#tcp dport ssh ct state new limit rate 6/minute accept
 
 		# Mitigate ping floods
-		ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
+		ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
-		ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
+		ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
 
+		# Accept ICMPv4
 		ip protocol icmp icmp type {
 			echo-reply,
 			echo-request,
@@ -47,19 +77,32 @@ table inet filter {
 			router-solicitation
 		} counter accept
 
+		# Accept basic ICMPv6 functionality
 		ip6 nexthdr icmpv6 icmpv6 type {
 			echo-reply,
 			echo-request,
 			destination-unreachable,
-			mld-listener-query,
-			mld-listener-reduction,
-			mld-listener-report,
-			mld2-listener-report,
 			packet-too-big,
 			time-exceeded,
 			parameter-problem
 		} counter accept
 
+		# Allow ICMPv6 SLAAC
+		ip6 nexthdr icmpv6 icmpv6 type {
+			nd-router-solicit,
+			nd-router-advert,
+			nd-neighbor-solicit,
+			nd-neighbor-advert,
+		} ip6 hoplimit 255 counter accept
+
+		# Allow ICMPv6 multicast listener discovery on link-local
+		ip6 nexthdr icmpv6 icmpv6 type {
+			mld-listener-query,
+			mld-listener-report,
+			mld-listener-reduction,
+			mld2-listener-report,
+		} ip6 saddr fe80::/10 counter accept
+
 		counter comment "Count dropped packets"
 		#log prefix "[nftables] Inbound Denied: " flags all counter drop
 	}
@@ -68,6 +111,16 @@ table inet filter {
 	# Can be enabled while using VPN (for tunneling)
 	chain forward {
 		type filter hook forward priority 0; policy drop;
+
+		ct state { related, established } accept
+		ct status dnat accept
+
+		oif lo accept
+		oif != lo ip daddr 127.0.0.1/8 counter drop
+		oif != lo ip6 daddr ::1/128 counter drop
+
+		counter jump libvirt_forward
+
 		counter comment "Count dropped packets"
 		#log prefix "[nftables] Forward Denied: " flags all counter drop
 	}
@@ -76,6 +129,11 @@ table inet filter {
 	chain output {
 		type filter hook output priority 0; policy accept;
 		counter comment "Count accepted packets"
-		#log prefix "[nftables] Outbound Accepted: " flags all counter accpet
+		#log prefix "[nftables] Outbound Accepted: " flags all counter accept
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		counter jump libvirt_postrouting
 	}
 }