{ pkgs, ... }: { networking = { firewall.checkReversePath = false; nat.enable = false; # nftables = { # enable = true; # tables = { # "cloonar-fw" = { # family = "inet"; # content = '' # chain output { # type filter hook output priority 100; policy accept; # } # # chain input { # type filter hook input priority filter; policy drop; # # # accept any localhost traffic # iifname lo accept # # # Allow trusted networks to access the router # iifname { # "wan", # disable when final # "lan", # "wg_cloonar" # } counter accept # # # Allow networks to access the dns and dhcp # iifname { # "lan", # "vb-*", # "podman0", # "infrastructure", # "wg_cloonar", # "smart", # "multimedia" # } udp dport { 53, 67, 68 } counter accept # iifname { # "lan", # "podman0", # "vb-*", # "infrastructure", # "wg_cloonar", # "smart", # "multimedia" # } tcp dport { 80, 443, 853 } counter accept # # # Accept mDNS for avahi reflection # # iifname "multimedia" ip saddr tcp dport { llmnr } counter accept # # iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept # # # Allow returning traffic from wg_cloonar and drop everthing else # iifname "wg_cloonar" ct state { established, related } counter accept # iifname "wg_cloonar" drop # # iifname "wan" ct state { established, related } accept comment "Allow established traffic" # iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" # iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" # } # # chain forward { # type filter hook forward priority filter; policy drop; # # # enable flow offloading for better throughput # # ip protocol { tcp, udp } flow offload @f # # # multimedia airplay # iifname "multimedia" oifname { "lan" } counter accept # # # lan and vpn to any # # TODO: disable wan when finished # iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept # iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept # # # Allow trusted network WAN access # iifname { # "lan", # "infrastructure", # "vb-*", # "podman0", # "multimedia", # "smart", # "wg_cloonar", # } oifname { # "wan", # } counter accept comment "Allow trusted LAN to WAN" # } # ''; # }; # "cloonar-nat" = { # family = "ip"; # content = '' # chain prerouting { # type nat hook prerouting priority filter; policy accept; # } # # # Setup NAT masquerading on external interfaces # chain postrouting { # type nat hook postrouting priority filter; policy accept; # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade # # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" # } # '' # }; # }; # }; nftables = { enable = true; ruleset = '' table inet filter { # enable flow offloading for better throughput # flowtable f { # hook ingress priority 0; # devices = { lan, server, wg_cloonar, smart, multimedia, guest }; # } chain output { type filter hook output priority 100; policy accept; } chain rpfilter { type filter hook prerouting priority mangle + 10; policy drop; meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server" fib saddr . mark . iif oif exists accept } chain input { type filter hook input priority filter; policy drop; iifname "lo" accept comment "trusted interfaces" ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow } tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info } chain input-allow { iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" iifname "wg_cloonar" counter accept comment "test wireguard" # drop new connections over rate limit udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop # accept any localhost traffic iifname lo accept # Allow trusted networks to access the router iifname { "wg_cloonar" } counter accept iifname { "server", "vserver", "lan", } counter accept # Allow networks to access dhcp iifname { "lan", "server", "vserver", "infrastructure", "smart", "podman*", "multimedia" } udp dport { 67, 68 } counter accept # Allow networks to access dns iifname { "lan", "server", "vserver", "infrastructure", "smart", "podman*", "multimedia" } udp dport { 53 } counter accept # allow audio system to access snapserver iifname { "server", "smart", "multimedia" } tcp dport { 1704, 1705 } counter accept # allow airplay access iifname "lan" tcp dport { 5000, 5353 } counter accept iifname "lan" udp dport { 5000, 5353, 6001 - 6011 } counter accept # Accept mDNS for avahi reflection iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept # accept palword server iifname { "wan", "lan" } udp dport { 8211, 27015 } counter accept # Allow all returning traffic ct state { established, related } counter accept # Allow returning traffic from wrwks and drop everthing else iifname "wrwks" ct state { established, related } counter accept iifname "wrwks" drop # Allow returning traffic from wg_epicenter and drop everthing else iifname "wg_epicenter" ct state { established, related } counter accept iifname "wg_epicenter" drop # Allow returning traffic from wg_ghetto_at and drop everthing else iifname "wg_ghetto_at" ct state { established, related } counter accept iifname "wg_ghetto_at" drop # Allow returning traffic from wan and drop everthing else iifname "wan" ct state { established, related } accept comment "Allow established traffic" iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic" } chain forward { type filter hook forward priority filter; policy drop; iifname "wg_cloonar" counter accept comment "test wireguard" iifname "wg_cloonar" oifname lo counter accept comment "wireguard to server" # enable flow offloading for better throughput # ip protocol { tcp, udp } flow offload @f # multimedia airplay iifname "multimedia" oifname { "lan" } counter accept iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept # avahi iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept # smart home coap iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept # Forward to git server oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept # lan and vpn to any # TODO: disable wan when finished iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept iifname { "infrastructure" } oifname { "server", "vserver" } counter accept # accept palword server iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept # allow all established, related ct state { established, related } accept comment "Allow established traffic" # Allow trusted network WAN access iifname { "lan", "infrastructure", "server", "vserver", "multimedia", "smart", "wg_cloonar", "podman*", "guest", "vb-*", "ve-*", } oifname { "wan", } counter accept comment "Allow trusted LAN to WAN" limit rate 60/minute burst 100 packets log prefix "Forward - Drop: " comment "Log any unmatched traffic" } } table ip nat { chain prerouting { type nat hook prerouting priority filter; policy accept; iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50 } # Setup NAT masquerading on external interfaces chain postrouting { type nat hook postrouting priority filter; policy accept; oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade ip daddr 10.42.97.50 masquerade } } ''; }; }; systemd.services.nftables-fix = { description = "Delete nixos-fw table"; after = [ "nftables.service" ]; serviceConfig = let fixScript = pkgs.writeTextFile { name = "nftables-fix"; executable = true; text = '' #! ${pkgs.nftables}/bin/nft -f delete table inet nixos-fw ''; }; in { Name = "nftables-fix"; PartOf = "nftables.service"; Type = "oneshot"; ExecStart= [ fixScript ]; StateDirectory = "nftables"; }; }; }