1 files changed, 3 insertions, 47 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 622c2c54..e05b9416 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -78,54 +78,10 @@
        ];
      };
-      firewall = {
+      firewall.enable = false;
+      nftables = {
        enable = true;
-        package = pkgs.iptables-nftables-compat;
+        rulesetFile = ./ruleset.nft;
-        allowPing = true;
-        allowedTCPPorts = [
-          22 # ssh
-        ];
-        allowedUDPPorts = [
-          51820 # wireguard
-        ];
-        allowedUDPPortRanges = [
-          { from = 60000; to = 61000; } # mosh
-        ];
-        extraCommands = ''
-          ip46tables -D FORWARD -j nixos-fw-forward 2>/dev/null || true
-          ip46tables -F nixos-fw-forward 2>/dev/null || true
-          ip46tables -X nixos-fw-forward 2>/dev/null || true
-          ip46tables -N nixos-fw-forward
-          ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT
-          ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-          ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse
-          ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse
-          ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT
-          ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse
-          ip46tables -A FORWARD -j nixos-fw-forward
-          ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t nat -F nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t nat -X nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t nat -N nixos-fw-postrouting
-          iptables -t nat -A nixos-fw-postrouting -o dsl -j MASQUERADE
-          ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting
-          ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t mangle -F nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t mangle -X nixos-fw-postrouting 2>/dev/null || true
-          ip46tables -t mangle -N nixos-fw-postrouting
-          ip46tables -t mangle -A nixos-fw-postrouting -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-          ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting
-        '';
      };
    };

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 622c2c54..e05b9416 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -78,54 +78,10 @@
78	];	78	];
79	};	79	};
80		80
81	firewall = {	81	firewall.enable = false;
		82	nftables = {
82	enable = true;	83	enable = true;
83	package = pkgs.iptables-nftables-compat;	84	rulesetFile = ./ruleset.nft;
84	allowPing = true;
85	allowedTCPPorts = [
86	22 # ssh
87	];
88	allowedUDPPorts = [
89	51820 # wireguard
90	];
91	allowedUDPPortRanges = [
92	{ from = 60000; to = 61000; } # mosh
93	];
94	extraCommands = ''
95	ip46tables -D FORWARD -j nixos-fw-forward 2>/dev/null \|\| true
96	ip46tables -F nixos-fw-forward 2>/dev/null \|\| true
97	ip46tables -X nixos-fw-forward 2>/dev/null \|\| true
98	ip46tables -N nixos-fw-forward
99
100	ip46tables -A nixos-fw-forward -i eno1 -j ACCEPT
101	ip46tables -A nixos-fw-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
102	ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type redirect -j nixos-fw-log-refuse
103	ip6tables -A nixos-fw-forward -p icmpv6 --icmpv6-type 139 -j nixos-fw-log-refuse
104	ip6tables -A nixos-fw-forward -p icmpv6 -j ACCEPT
105
106	ip46tables -A nixos-fw-forward -j nixos-fw-log-refuse
107	ip46tables -A FORWARD -j nixos-fw-forward
108
109
110	ip46tables -t nat -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null \|\| true
111	ip46tables -t nat -F nixos-fw-postrouting 2>/dev/null \|\| true
112	ip46tables -t nat -X nixos-fw-postrouting 2>/dev/null \|\| true
113	ip46tables -t nat -N nixos-fw-postrouting
114
115	iptables -t nat -A nixos-fw-postrouting -o dsl -j MASQUERADE
116
117	ip46tables -t nat -A POSTROUTING -j nixos-fw-postrouting
118
119
120	ip46tables -t mangle -D POSTROUTING -j nixos-fw-postrouting 2>/dev/null \|\| true
121	ip46tables -t mangle -F nixos-fw-postrouting 2>/dev/null \|\| true
122	ip46tables -t mangle -X nixos-fw-postrouting 2>/dev/null \|\| true
123
124	ip46tables -t mangle -N nixos-fw-postrouting
125	ip46tables -t mangle -A nixos-fw-postrouting -o dsl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
126
127	ip46tables -t mangle -A POSTROUTING -j nixos-fw-postrouting
128	'';
129	};	85	};
130	};	86	};
131		87