67 lines
1.6 KiB
Plaintext
67 lines
1.6 KiB
Plaintext
define NAT_LAN_IFACES = { "br-lan" }
|
|
define PHYSICAL_WAN = "enp1s0"
|
|
define NAT_WAN_IFACES = { $PHYSICAL_WAN }
|
|
|
|
table inet filter {
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop
|
|
|
|
# allow traffic between lan and wan
|
|
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
|
|
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
|
|
}
|
|
}
|
|
|
|
table inet nat {
|
|
chain postrouting {
|
|
type nat hook postrouting priority filter; policy accept
|
|
oifname $NAT_WAN_IFACES masquerade
|
|
}
|
|
}
|
|
|
|
# Only allow select connections from and to (physical) wan,
|
|
# overriding NixOS firewall in some cases.
|
|
table inet restrict-wan {
|
|
# Priorities must be higher than filter (0),
|
|
# which the NixOS firewall uses.
|
|
chain input {
|
|
type filter hook input priority -50; policy accept
|
|
|
|
# accept responses
|
|
iifname $PHYSICAL_WAN ct state established,related counter accept
|
|
|
|
# accept icmpv6
|
|
iifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
|
|
# drop everything else
|
|
iifname $PHYSICAL_WAN counter drop
|
|
}
|
|
|
|
# This handles all packets (local and forwarded)
|
|
chain postrouting {
|
|
type filter hook postrouting priority 0; policy accept
|
|
|
|
# accept connections over physical wan
|
|
oifname $PHYSICAL_WAN counter accept
|
|
}
|
|
}
|
|
|
|
# Tracing infrastructure, can be used for debugging (nft monitor trace)
|
|
table inet trace {
|
|
chain prerouting {
|
|
type filter hook prerouting priority raw - 1
|
|
jump common
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority raw - 1
|
|
jump common
|
|
}
|
|
|
|
chain common {
|
|
# Add tracing rule here
|
|
# … meta nftrace set 1
|
|
# DO NOT COMMIT ANY TRACING RULES
|
|
}
|
|
}
|