1 files changed, 12 insertions, 2 deletions

diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 7502b3c7..e81fee84 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -46,6 +46,7 @@ let
   inNetwork = pathExists privateKeyPath && pathExists publicKeyPath;
   hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links;
   hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes;
+  isRouter = inNetwork && any ({via, ...}: via == hostName) routes;
   linkToPeer = opts@{from, to, ...}:
     let
       other = if from == hostName then to else from;
@@ -90,8 +91,17 @@ in {
 
     networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));
 
-    boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) {
-      "net.ipv6.conf.yggdrasil.forwarding" = 1;
+    networking.firewall = mkIf isRouter {
+      extraCommands = ''
+        iptables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
+        iptables -A FORWARD -j nixos-fw-log-refuse
+        sysctl net.ipv6.conf.all.forwarding=1
+      '';
+      extraStopCommands = ''
+        sysctl net.ipv6.conf.all.forwarding=0
+        iptables -D FORWARD -j nixos-fw-log-refuse
+        iptables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
+      '';
     };
   };
 }