From dc29c72c1a1da0e4373257ee5d059abd2031dbb5 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Sat, 25 Feb 2023 15:09:10 -0500 Subject: router firewall config --- modules/router.nix | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/modules/router.nix b/modules/router.nix index 359832e..8d712e9 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -67,10 +67,50 @@ let networking.dhcpcd = { extraConfig = '' + noipv6rs + nohook resolv.conf interface wan-vport dhcp ''; }; + + networking.firewall.enable = false; + networking.nftables.enable = true; + networking.nftables.ruleset = + let + ports-to-csv = ports: concatStringsSep "," (map toString ports); + in '' + table inet filter { + chain input { + type filter hook input priority 0; + iif lo accept; + + ct state {established, related} accept; + + counter drop; + } + + chain output { + type filter hook output priority 0 + counter accept + } + + chain forward { + type filter hook forward priority 0; policy drop; + + ct state vmap { established : accept, related : accept, invalid : drop }; + + counter drop; + } + } + + table nat postrouting { + chain nat { + type nat hook postrouting priority 100; + ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade; + } + } + ''; }; in { options = { @@ -80,6 +120,13 @@ in { }; config = mkIf cfg.enable { + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }; + systemd.services."router-netns" = { description = "router network namespace"; before = ["network.target"]; @@ -93,7 +140,7 @@ in { }; }; - networking.wireguard.interfaces.vpn.interfaceNamespace = "router"; + networking.wireguard.interfaces.mullvad.interfaceNamespace = "router"; systemd.services."container@router" = { after = ["router-netns.service"]; -- cgit v1.2.3