diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/router.nix | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/modules/router.nix b/modules/router.nix index 3864d06..63b39fb 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -291,11 +291,13 @@ let chain forward { type filter hook forward priority 0; policy drop - ip protocol icmp limit rate 4/second counter accept comment "icmp v4" +ip protocol icmp limit rate 4/second counter accept comment "icmp v4" ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" ct state vmap { established : accept, related : accept, invalid : drop } + jump miniupnpd + # Don't allow accidental vpn forwarding to wan. iifname vpnlan-vport oifname wan-vport counter reject oifname he0 counter accept @@ -346,7 +348,16 @@ let meta nfproto ipv6 oifname {"mullvad"} counter masquerade } } - ''; + table inet miniupnpd { + chain miniupnpd {} + chain prerouting_miniupnpd { + type nat hook prerouting priority dstnat; policy accept; + } + chain postrouting_miniupnpd { + type nat hook postrouting priority srcnat; policy accept; + } + } + ''; }; in { options = { |