{ config, lib, ... }: with import ./network.nix; let open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ 22 # ssh 80 # http 443 # https 8448 # matrix 10022 # gitea 18080 # monero 51413 # transmission ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ 1194 # wireguard 51413 # transmission ]; open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ 22 80 443 32400 # plex ]; open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ 53 # dns 1194 # vpn ]; in { networking = { # needed to use nftables firewall.enable = false; nat.enable = false; nftables = { enable = true; ruleset = '' table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; } } table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } chain INPUT { type nat hook input priority 100; policy accept; } chain OUTPUT { type nat hook output priority -100; policy accept; } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname ${wan-if} ip saddr {${ lib.concatStringsSep "," towan-wg }} masquerade } } table ip mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy drop; ct state invalid,untracked drop comment "drop invalid" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } chain INPUT { type filter hook input priority mangle; policy accept; } chain FORWARD { type filter hook forward priority mangle; policy accept; } chain OUTPUT { type route hook output priority mangle; policy accept; } chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; } chain mangle_drop { ip protocol icmp jump mangle_drop_icmp ip protocol udp jump mangle_drop_udp ip protocol tcp jump mangle_drop_tcp log prefix "MANGLE-DROP-UNK " drop } chain mangle_drop_icmp { log prefix "MANGLE-DROP-ICMP " drop } chain mangle_drop_tcp { log prefix "MANGLE-DROP-TCP " drop } chain mangle_drop_udp { log prefix "MANGLE-DROP-UDP " drop } } table ip filter { chain INPUT { type filter hook input priority filter; policy drop; ct state established,related accept iifname "lo" accept comment "loopback" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip saddr ${lan-net} accept comment "lan > local" ip saddr ${proxy-wg} accept comment "proxy > local" ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local" iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} icmp type echo-request accept jump filter_drop } chain FORWARD { type filter hook forward priority filter; policy drop; ct state established,related accept # client to client ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ lib.concatStringsSep "," c2c-wg }} accept # gdevices talking to everyone in VPN ip saddr {${ lib.concatStringsSep "," gdevices-wg }} ip daddr ${vpn-net} accept ip saddr {${ lib.concatStringsSep "," gamenet-wg }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept # nat to wan oifname ${wan-if} ip saddr {${ lib.concatStringsSep "," towan-wg }} accept jump filter_drop } chain OUTPUT { type filter hook output priority filter; policy drop; ct state established,related accept accept comment "local > *" jump filter_drop } chain filter_drop { ip protocol icmp jump filter_drop_icmp ip protocol udp jump filter_drop_udp ip protocol tcp jump filter_drop_tcp log prefix "DROP-UNK " drop } chain filter_drop_icmp { log prefix "DROP-icmp " drop } chain filter_drop_tcp { log prefix "DROP-tcp " drop } chain filter_drop_udp { log prefix "DROP-udp " drop } } ''; }; }; }