{ config, lib, pkgs, ... }: let wan-dev = "enp37s0"; lan-dev = "wlp39s0"; in { networking.networkmanager.enable = lib.mkForce false; networking.firewall = { enable = lib.mkForce false; allowedTCPPorts = lib.mkForce [ ]; allowedUDPPorts = lib.mkForce [ ]; allowPing = true; logRefusedConnections = false; checkReversePath = false; trustedInterfaces = [ "${lan-dev}" ]; }; services.ferm = { enable = true; config = '' @def $DEV_LAN = ${lan-dev}; @def $DEV_WAN = ${wan-dev}; @def $NET_LAN = 10.64.30.0/24; domain ip6 table filter chain INPUT { proto ipv6-icmp ACCEPT; proto udp dport (dhcpv6-client dhcpv6-server) ACCEPT; } domain (ip ip6) table filter { chain INPUT { policy DROP; mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; interface lo ACCEPT; proto icmp icmp-type echo-request ACCEPT; interface $DEV_WAN { # RTMP # proto (tcp udp) dport 1935 ACCEPT; # Factorio proto udp dport 34197 ACCEPT; } interface $DEV_LAN @subchain "services" { # 1935 for rtmp testing proto (tcp udp) dport (ssh domain bootps 1935 4317 5353) ACCEPT; # Chromecast # proto udp dport 32768:61000 ACCEPT; # proto udp dport (5353 1900) ACCEPT; # proto tcp dport (8008 8009) ACCEPT; # chain logdrop { # LOG log-level warning log-prefix "dropped-lan "; # DROP; # } # jump logdrop; } } chain OUTPUT policy ACCEPT; chain FORWARD { policy DROP; mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; interface $DEV_LAN ACCEPT; } } domain ip6 table filter chain INPUT { chain logdrop { LOG log-level warning log-prefix "dropped-6 "; DROP; } jump logdrop; } domain ip table nat { chain POSTROUTING { saddr $NET_LAN outerface $DEV_WAN MASQUERADE; } } ''; }; services = { openssh.enable = lib.mkDefault true; openssh.passwordAuthentication = false; }; boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.forwarding" = true; "net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.default.forwarding" = true; }; services.hostapd = { enable = true; ssid = "2c"; wpaPassphrase = "mintchip"; interface = "${lan-dev}"; hwMode = "g"; channel = 11; extraConfig = '' country_code=US wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP ''; }; networking.useDHCP = true; networking.dhcpcd = { enable = true; denyInterfaces = [ lan-dev ]; extraConfig = '' # debug noipv6rs interface ${wan-dev} dhcp ipv6rs ia_na 1 ia_pd 1/::/56 ${lan-dev}/0/64 ''; wait = "background"; }; services.dnsmasq = { enable = true; servers = [ "8.8.8.8" "8.8.4.4" ]; extraConfig = '' dhcp-authoritative dhcp-range=10.64.30.100,10.64.30.255,255.255.255.0,24h dhcp-option=option:router,10.64.30.1 dhcp-option=option:dns-server,10.64.30.1 dhcp-option=option:netmask,255.255.255.0 #dhcp-range=::,constructor:${lan-dev},slaac ''; }; networking.nat = { enable = true; externalInterface = "${wan-dev}"; internalInterfaces = [ "${lan-dev}" ]; # internalIPs = [ "10.0.0.0/24" ]; }; networking.interfaces.${wan-dev} = { macAddress = "3c:97:0e:19:7e:5c"; }; networking.interfaces."${lan-dev}" = { ipv4.addresses = [ { address = "10.64.30.1"; prefixLength = 24; } ]; }; }