diff --git a/machines/shinobu/services/router.nix b/machines/shinobu/services/router.nix index ecc2cef..181cb8f 100644 --- a/machines/shinobu/services/router.nix +++ b/machines/shinobu/services/router.nix @@ -62,6 +62,7 @@ in define VUEKO_V4 = 168.119.176.53 define VUEKO_V6 = 2a01:4f8:c012:2f4::1 define VUEKO_PORT = 51820 + define WG_UPSTREAM_ENDPOINT = ${lib.elemAt (lib.splitString ":" (lib.elemAt config.systemd.network.netdevs.wg-upstream.wireguardPeers 0).wireguardPeerConfig.Endpoint) 0} define PLASTIC_ROUTER_V4 = 192.168.0.1 table inet filter { @@ -108,6 +109,35 @@ in ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter } } + + # Only allow select connections from and to (physical) wan, + # overriding NixOS firewall in some cases. + table inet restrict-wan { + # Priorities must be higher than filter (0), + # which the NixOS firewall uses. + + chain input { + type filter hook input priority -50; policy accept + # accept responses + iifname $PHYSICAL_WAN ct state established,related counter accept + # accept icmpv6 + iifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept + # drop everything else + iifname $PHYSICAL_WAN counter drop + } + + chain output { + type filter hook output priority -50; policy accept + # accept connections to plastic router + oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 accept + # accept icmpv6 + oifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept + # accept connections to selected endpoints + oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept + oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 counter accept + oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 counter accept + # drop all other packets + oifname $PHYSICAL_WAN counter drop } } '';