diff options
| -rw-r--r-- | modules/router.nix | 49 |
1 files changed, 48 insertions, 1 deletions
diff --git a/modules/router.nix b/modules/router.nix index 359832e..8d712e9 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -67,10 +67,50 @@ let networking.dhcpcd = { extraConfig = '' + noipv6rs + nohook resolv.conf interface wan-vport dhcp ''; }; + + networking.firewall.enable = false; + networking.nftables.enable = true; + networking.nftables.ruleset = + let + ports-to-csv = ports: concatStringsSep "," (map toString ports); + in '' + table inet filter { + chain input { + type filter hook input priority 0; + iif lo accept; + + ct state {established, related} accept; + + counter drop; + } + + chain output { + type filter hook output priority 0 + counter accept + } + + chain forward { + type filter hook forward priority 0; policy drop; + + ct state vmap { established : accept, related : accept, invalid : drop }; + + counter drop; + } + } + + table nat postrouting { + chain nat { + type nat hook postrouting priority 100; + ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade; + } + } + ''; }; in { options = { @@ -80,6 +120,13 @@ in { }; config = mkIf cfg.enable { + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }; + systemd.services."router-netns" = { description = "router network namespace"; before = ["network.target"]; @@ -93,7 +140,7 @@ in { }; }; - networking.wireguard.interfaces.vpn.interfaceNamespace = "router"; + networking.wireguard.interfaces.mullvad.interfaceNamespace = "router"; systemd.services."container@router" = { after = ["router-netns.service"]; |