Improvements

FAForever · Oct 12, 2024 · e66da99 · e66da99
1 parent 5f4a94a
commit e66da99
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 37 deletions.
diff --git a/common/configuration.nix b/common/configuration.nix
@@ -37,7 +37,8 @@
      "zfs.zfs_arc_max=25769803776"
     ];
 
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # Use latest kernel
+    #kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # Use latest kernel
+    kernelPackages = pkgs.linuxPackages_6_10;
 
     initrd = {
       # Virtual rescue system boots over fake SATA controllers
@@ -70,20 +71,35 @@
       logRefusedConnections = false;
       rejectPackets = false;
       extraCommands = '' 
-        # icmp limitations
-        iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP;
-        iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 50 -j ACCEPT;
-        iptables -A INPUT -p icmp -j DROP;
-
-        # Block all fragmented packets
-        iptables -A INPUT -f -j DROP
-        iptables -A FORWARD -f -j DROP
-
-        # Block packets with overlapping fragments
-        iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-        iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-        iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-        iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+	# ICMP limitations
+
+	# Block uncommon ICMP types
+	iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
+	iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP
+	iptables -A INPUT -p icmp --icmp-type redirect -j DROP
+	iptables -A INPUT -p icmp --icmp-type source-quench -j DROP
+
+	# Allow echo requests and replies with rate limiting
+	iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+	iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+
+	# Allow necessary ICMP types with rate limiting
+	iptables -A INPUT -p icmp --icmp-type destination-unreachable -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+	iptables -A INPUT -p icmp --icmp-type time-exceeded -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+	iptables -A INPUT -p icmp --icmp-type parameter-problem -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+
+	# Log and drop fragmented ICMP packets only
+	iptables -A INPUT -p icmp -f -j LOG --log-prefix "Fragmented ICMP Packet: "
+	iptables -A INPUT -p icmp -f -j DROP
+
+	# Drop all ICMP packets that didn't match previous rules
+	iptables -A INPUT -p icmp -j DROP
+
+	# Other rules (e.g., blocking TCP flags)
+	iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+	iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+	iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
       '';
       allowedTCPPorts = [
         80 
@@ -109,7 +125,6 @@
 
 
   services.resolved.dnssec = "false";
-
 
   systemd.network.wait-online.anyInterface = true;
 

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -2,7 +2,7 @@
   description = "FAForever Nixos Configs";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
     #nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     srvos.url = "github:nix-community/srvos";
     secrets = {
@@ -17,7 +17,20 @@
       "fafprod3" = nixpkgs.lib.nixosSystem rec {
         system = "x86_64-linux";
         modules = [
+          ./common/configuration.nix
           ./machines/prod3/configuration.nix
+          srvos.nixosModules.server
+          ( import (secrets + /networking-prod2.nix))
+          ( import (secrets + /users-prod.nix))
+        ];
+      };
+      "test1" = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = [
+          ./common/configuration.nix
+          ./machines/test1/configuration.nix
+          srvos.nixosModules.server
+          ( import (secrets + /users-test.nix))
         ];
       };
     };

diff --git a/machines/prod3/configuration.nix b/machines/prod3/configuration.nix
@@ -3,9 +3,6 @@
 {
   imports =
     [
-      ../../common/configuration.nix
-      ../../secrets/networking-prod2.nix
-      ../../secrets/users-prod.nix
       ./hardware-configuration.nix
     ];
 
@@ -114,4 +111,6 @@
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDgYjxtGirvoIc63P4TUHDmnXaoWNorPL4m0xJelHayveJc0DbstnwcIwCULTTDOeYTgzexYbCjlpEaABz4lMM9sNdyOQaUj7jn20nPzXAr/nyaTq7wP0klIiOrCvyaEl9eA5IhcwltACPdnDMm+Mr2+v4qyTFJzwVVtyoV42KqWOUzcTfx8/8qlgEbTpih3XX3UeuUtjPQCm8tMDnJiQO4E1UYw6n+fJ9Be4p4tBVbMF7JDn9g3d2DIgfgGWug/n4RMHUNvzLe+X/v8EQZtgNWf1MU7g6xdhWAUDvL75BOJstSDUAgrzPjAqLBpDV+MKAvCctDYKUnpDvGeCXfBn"
   ];
 
+  system.stateVersion = "24.05";
+
 }
diff --git a/machines/test1/configuration.nix b/machines/test1/configuration.nix
@@ -3,8 +3,6 @@
 {
   imports =
     [
-      ../../common/configuration.nix
-      ../../secrets/users-test.nix
       ./hardware-configuration.nix
     ];
 

diff --git a/old-configuration.nix b/old-configuration.nix