router firewall config

author: Kjetil Orbekk <kj@orbekk.com> 2023-02-25 15:09:10 -0500
committer: Kjetil Orbekk <kj@orbekk.com> 2023-02-25 15:09:10 -0500
commit: dc29c72c1a1da0e4373257ee5d059abd2031dbb5 (patch)
tree: 983357721423ccec841d53f6611f62c55a52cb92
parent: 12f7ee94d3382580ae1a2c80c8889f115785ee27 (diff)
1 files changed, 48 insertions, 1 deletions
diff --git a/modules/router.nix b/modules/router.nix
index 359832e..8d712e9 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -67,10 +67,50 @@ let
 
     networking.dhcpcd = {
       extraConfig = ''
+        noipv6rs
+        nohook resolv.conf
         interface wan-vport
           dhcp
       '';
     };
+
+    networking.firewall.enable = false;
+    networking.nftables.enable = true;
+    networking.nftables.ruleset =
+      let
+        ports-to-csv = ports: concatStringsSep "," (map toString ports);
+      in ''
+        table inet filter {
+          chain input {
+            type filter hook input priority 0;
+            iif lo accept;
+
+            ct state {established, related} accept;
+
+            counter drop;
+          }
+
+          chain output {
+            type filter hook output priority 0
+            counter accept
+          }
+
+          chain forward {
+            type filter hook forward priority 0; policy drop;
+
+            ct state vmap { established : accept, related : accept, invalid : drop };
+
+            counter drop;
+          }
+        }
+
+        table nat postrouting {
+          chain nat {
+            type nat hook postrouting priority 100;
+            ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade;
+          }
+        }
+      '';
   };
 in {
   options = {
@@ -80,6 +120,13 @@ in {
   };
 
   config = mkIf cfg.enable {
+    boot.kernel.sysctl = {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv6.conf.default.forwarding" = true;
+    };
+
     systemd.services."router-netns" = {
       description = "router network namespace";
       before = ["network.target"];
@@ -93,7 +140,7 @@ in {
       };
     };
 
-    networking.wireguard.interfaces.vpn.interfaceNamespace = "router";
+    networking.wireguard.interfaces.mullvad.interfaceNamespace = "router";
 
     systemd.services."container@router" = {
       after = ["router-netns.service"];
author	Kjetil Orbekk <kj@orbekk.com>	2023-02-25 15:09:10 -0500
committer	Kjetil Orbekk <kj@orbekk.com>	2023-02-25 15:09:10 -0500
commit	dc29c72c1a1da0e4373257ee5d059abd2031dbb5 (patch)
tree	983357721423ccec841d53f6611f62c55a52cb92
parent	12f7ee94d3382580ae1a2c80c8889f115785ee27 (diff)