nixos/hosts/fw/modules/firewall.nix

{ pkgs, ... }: {
  networking = {
    firewall.checkReversePath = false;
    nat.enable = false;
    nftables = {
      enable = true;
      tables = {
        "cloonar-fw" = {
          family = "inet";
          content = ''
            chain output {
              type filter hook output priority 100; policy accept;
            }

            chain rpfilter {
              type filter hook prerouting priority mangle + 10; policy drop;
              meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
              fib saddr . mark . iif oif exists accept
            }

            chain input {
              type filter hook input priority filter; policy drop;
              iifname "lo" accept comment "trusted interfaces"
              iifname "lan" counter accept comment "Spice"
              ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
              tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
            }

            chain input-allow {
              udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections"
              iifname lo accept
              iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
              iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic"
              iifname "lan" tcp dport 5931 counter accept comment "Spice"
              iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
              iifname { "multimedia", "smart", "infrastructure", "podman0", "setup" } udp dport { 53, 5353 } counter accept comment "DNS"
              iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"

              # Accept mDNS for avahi reflection
              iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept
              iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept

              # Allow all returning traffic
              ct state { established, related } counter accept

              # Allow returning traffic from wrwks and drop everthing else
              iifname "wrwks" ct state { established, related } counter accept
              iifname "wrwks" drop

              # Allow returning traffic from wg_epicenter and drop everthing else
              iifname "wg_epicenter" ct state { established, related } counter accept
              iifname "wg_epicenter" drop

              # Allow returning traffic from wg_ghetto_at and drop everthing else
              iifname "wg_ghetto_at" ct state { established, related } counter accept
              iifname "wg_ghetto_at" drop

              # Allow returning traffic from wan and drop everthing else
              iifname "wan" ct state { established, related } accept comment "Allow established traffic"
              iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
              iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"

              limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic"
            }

            chain forward {
              type filter hook forward priority filter; policy drop;

              iifname "wg_cloonar" counter accept comment "test wireguard"

              iifname "wg_cloonar" oifname lo counter accept comment "wireguard to server"

              # enable flow offloading for better throughput
              # ip protocol { tcp, udp } flow offload @f

              # broadcast
              iifname "server" oifname { "lan", "multimedia" } udp dport { 9 } counter accept comment "wakeonlan"

              # multimedia airplay
              iifname "multimedia" oifname { "lan" } counter accept
              iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept
              iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept
              # avahi
              iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept

              # smart home coap
              iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept
              iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept

              # Forward to git server
              oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept 
              oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept 

              # lan and vpn to any
              iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept
              iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
              iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept
              iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"

              # accept palword server
              iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld"
              # forward to ark server
              oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
              oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"

              # firefox-sync
              oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync"

              # allow all established, related
              ct state { established, related } accept comment "Allow established traffic"

              # Allow trusted network WAN access
              iifname {
                "lan",
                "infrastructure",
                "server",
                "vserver",
                "multimedia",
                "smart",
                "wg_cloonar",
                "podman*",
                "guest",
                "setup",
                "vb-*",
                "vm-*",
              } oifname {
                "wan",
              } counter accept comment "Allow trusted LAN to WAN"

              limit rate 60/minute burst 100 packets log prefix "Forward - Drop: " comment "Log any unmatched traffic"
            }
          '';
        };
        "cloonar-nat" = {
          family = "ip";
          content = ''
            chain prerouting {
              type nat hook prerouting priority filter; policy accept;
              iifname "server" ip daddr 10.42.96.255 udp dport { 9 } dnat to 10.42.96.255
              iifname "wan" tcp dport { 22 } dnat to 10.42.97.50
              iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5
              iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51
              iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201
              iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201
            }

            # Setup NAT masquerading on external interfaces
            chain postrouting {
              type nat hook postrouting priority filter; policy accept;
              oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
              iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade
              iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade
              iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade
            }
          '';
        };
      };
    };
  };
}