{ config, pkgs, ... }: { networking = { firewall.checkReversePath = false; nat.enable = false; nftables = { enable = true; tables = { "cloonar-fw" = { family = "inet"; content = '' chain output { type filter hook output priority 100; policy accept; } chain rpfilter { type filter hook prerouting priority mangle + 10; policy drop; meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server" fib saddr . mark . iif oif exists accept } chain input { type filter hook input priority filter; policy drop; iifname "lo" accept comment "trusted interfaces" iifname "lan" counter accept comment "Spice" ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow } tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info } chain input-allow { udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections" iifname lo accept iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic" iifname "lan" tcp dport 5931 counter accept comment "Spice" iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" iifname { "multimedia", "smart", "infrastructure", "podman0", "setup" } udp dport { 53, 5353 } counter accept comment "DNS" iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" # Accept mDNS for avahi reflection iifname "server" ip saddr ${config.networkPrefix}.97.20/32 tcp dport { llmnr } counter accept iifname "server" ip saddr ${config.networkPrefix}.97.20/32 udp dport { mdns, llmnr } counter accept # Allow all returning traffic ct state { established, related } counter accept # Allow returning traffic from wrwks and drop everthing else iifname "wrwks" ct state { established, related } counter accept iifname "wrwks" drop # Allow returning traffic from wg_epicenter and drop everthing else iifname "wg_epicenter" ct state { established, related } counter accept iifname "wg_epicenter" drop # Allow returning traffic from wg_ghetto_at and drop everthing else iifname "wg_ghetto_at" ct state { established, related } counter accept iifname "wg_ghetto_at" drop # Allow returning traffic from wan and drop everthing else iifname "wan" ct state { established, related } accept comment "Allow established traffic" iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan" limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic" } chain forward { type filter hook forward priority filter; policy drop; iifname "wg_cloonar" counter accept comment "test wireguard" iifname "wg_cloonar" oifname lo counter accept comment "wireguard to server" # enable flow offloading for better throughput # ip protocol { tcp, udp } flow offload @f # broadcast iifname "server" oifname { "lan", "multimedia" } udp dport { 9 } counter accept comment "wakeonlan" # multimedia airplay iifname "multimedia" oifname { "lan" } counter accept iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept # avahi iifname "server" ip saddr ${config.networkPrefix}.97.20/32 oifname { "lan" } counter accept # smart home coap iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 udp dport { 5683 } counter accept iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept # Forward to git server oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept # lan and vpn to any iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld" # accept palword server iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld" # forward to ark server oifname "server" ip daddr ${config.networkPrefix}.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved" oifname "server" ip daddr ${config.networkPrefix}.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved" # firefox-sync oifname "server" ip daddr ${config.networkPrefix}.97.51 tcp dport { 5000 } counter accept comment "firefox-sync" # allow all established, related ct state { established, related } accept comment "Allow established traffic" # Allow trusted network WAN access iifname { "lan", "infrastructure", "server", "vserver", "multimedia", "smart", "wg_cloonar", "podman*", "guest", "setup", "vb-*", "vm-*", } oifname { "wan", } counter accept comment "Allow trusted LAN to WAN" limit rate 60/minute burst 100 packets log prefix "Forward - Drop: " comment "Log any unmatched traffic" } ''; }; "cloonar-nat" = { family = "ip"; content = '' chain prerouting { type nat hook prerouting priority filter; policy accept; iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255 iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50 iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5 iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51 iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201 iifname { "wan", "lan" } tcp dport { 27020 } dnat to ${config.networkPrefix}.97.201 } # Setup NAT masquerading on external interfaces chain postrouting { type nat hook postrouting priority filter; policy accept; oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade iifname { "lan", "wg_cloonar" } ip daddr ${config.networkPrefix}.110.101 masquerade iifname { "wan", "wg_cloonar" } ip daddr ${config.networkPrefix}.97.50 masquerade iifname { "wan", "wg_cloonar" } ip daddr ${config.networkPrefix}.97.51 masquerade iifname { "wan", "wg_cloonar" } ip daddr ${config.networkPrefix}.97.201 masquerade } ''; }; }; }; }; }