From 6200b657e55e1c34d02c62d10677ea85a02d841e Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Sat, 25 Feb 2023 19:35:55 -0500
Subject: Update router

---
 modules/router.nix | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

(limited to 'modules')

diff --git a/modules/router.nix b/modules/router.nix
index adada7b..4f7e212 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -62,7 +62,7 @@ let
         no-hosts
 
         dhcp-authoritative
-	enable-ra
+	      enable-ra
 
         address=/localhost/::1
         address=/localhost/127.0.0.1
@@ -85,6 +85,7 @@ let
     };
 
     networking.firewall.enable = false;
+    systemd.services.nftables.after = ["kjlan-netdev.service"];
     networking.nftables.enable = true;
     networking.nftables.ruleset =
       let
@@ -92,12 +93,14 @@ let
       in ''
         table inet filter {
           chain input {
-            type filter hook input priority 0;
-            iif lo accept;
+            type filter hook input priority 0
+            iif lo accept
 
-            ct state {established, related} accept;
+            ct state {established, related} counter accept
+            ip protocol icmp limit rate 4/second counter accept
+            meta l4proto {tcp, udp} th dport {bootps, bootpc, domain} counter accept
 
-            counter drop;
+            counter drop
           }
 
           chain output {
@@ -106,18 +109,23 @@ let
           }
 
           chain forward {
-            type filter hook forward priority 0; policy drop;
+            type filter hook forward priority 0; policy drop
 
-            ct state vmap { established : accept, related : accept, invalid : drop };
+            ct state vmap { established : accept, related : accept, invalid : drop }
+            iif lan-vport counter accept
+            iif dragon-vport counter accept
 
-            counter drop;
+            counter drop
           }
         }
 
-        table nat postrouting {
-          chain nat {
-            type nat hook postrouting priority 100;
-            ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade;
+        table nat {
+          chain prerouting {
+            type nat hook prerouting priority -100; policy accept
+          }
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept
+            ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade
           }
         }
       '';
@@ -150,6 +158,7 @@ in {
       };
     };
 
+    orbekk.mullvad.enable = true;
     networking.wireguard.interfaces.mullvad.interfaceNamespace = "router";
 
     systemd.services."container@router" = {
-- 
cgit v1.2.3