diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/router.nix | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/modules/router.nix b/modules/router.nix index adada7b..4f7e212 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -62,7 +62,7 @@ let no-hosts dhcp-authoritative - enable-ra + enable-ra address=/localhost/::1 address=/localhost/127.0.0.1 @@ -85,6 +85,7 @@ let }; networking.firewall.enable = false; + systemd.services.nftables.after = ["kjlan-netdev.service"]; networking.nftables.enable = true; networking.nftables.ruleset = let @@ -92,12 +93,14 @@ let in '' table inet filter { chain input { - type filter hook input priority 0; - iif lo accept; + type filter hook input priority 0 + iif lo accept - ct state {established, related} accept; + ct state {established, related} counter accept + ip protocol icmp limit rate 4/second counter accept + meta l4proto {tcp, udp} th dport {bootps, bootpc, domain} counter accept - counter drop; + counter drop } chain output { @@ -106,18 +109,23 @@ let } chain forward { - type filter hook forward priority 0; policy drop; + type filter hook forward priority 0; policy drop - ct state vmap { established : accept, related : accept, invalid : drop }; + ct state vmap { established : accept, related : accept, invalid : drop } + iif lan-vport counter accept + iif dragon-vport counter accept - counter drop; + counter drop } } - table nat postrouting { - chain nat { - type nat hook postrouting priority 100; - ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade; + table nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept + } + chain postrouting { + type nat hook postrouting priority 100; policy accept + ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade } } ''; @@ -150,6 +158,7 @@ in { }; }; + orbekk.mullvad.enable = true; networking.wireguard.interfaces.mullvad.interfaceNamespace = "router"; systemd.services."container@router" = { |