shinobu/router: Switch to nftables

2023-08-08 14:19:48 +02:00 · 2023-08-08 14:19:48 +02:00 · 826929571b
parent ba1f9262fb
commit 826929571b
1 changed files with 26 additions and 6 deletions
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@ -43,13 +43,33 @@ in
  networking = {
    # networkd handles this
    useDHCP = false;
-    # networkd didn’t work that well for this
-    nat = {
+
+    nftables = {
      enable = true;
-      enableIPv6 = true;
-      externalInterface = "wg-upstream";
-      internalInterfaces = [ "br-lan" ];
-      internalIPv6s = [ "fd00:80:1::/64" ];
+      ruleset = ''
+        define NAT_LAN_IFACES = { "br-lan" }
+        define NAT_WAN_IFACES = { "wg-upstream" }
+
+        table inet filter {
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+
+            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
+            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
+          }
+        }
+
+        table inet nat {
+          chain prerouting {
+            type nat hook prerouting priority filter; policy accept;
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority filter; policy accept;
+            oifname $NAT_WAN_IFACES masquerade;
+          }
+        }
+      '';
    };
  };