diff options
| author | Tim Keller <tjk@tjkeller.xyz> | 2026-03-27 15:51:41 -0500 |
|---|---|---|
| committer | Tim Keller <tjk@tjkeller.xyz> | 2026-03-27 15:51:41 -0500 |
| commit | 880435bcaf4446474ce025a89d9639b68ab88d59 (patch) | |
| tree | 9182ea05a20ed4ede4eb2a3976c6239410fbbe12 | |
| parent | 18916f2edd08e74ef8401b30e6cae291319bfc8c (diff) | |
| download | nixos-880435bcaf4446474ce025a89d9639b68ab88d59.tar.xz nixos-880435bcaf4446474ce025a89d9639b68ab88d59.zip | |
simplify and fix routing module
| -rw-r--r-- | nixos/services/router/routing.nix | 62 |
1 files changed, 19 insertions, 43 deletions
diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix index c0c49e6..25d91dd 100644 --- a/nixos/services/router/routing.nix +++ b/nixos/services/router/routing.nix @@ -9,6 +9,7 @@ in { default = ""; description = "wan interface"; }; + # TODO allow multiple lan lan = lib.mkOption { type = lib.types.str; default = ""; @@ -18,51 +19,26 @@ in { }; config = lib.mkIf cfg.enable { - networking.nftables = { - enable = true; - tables.filter = { - family = "ip"; - # https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/ - content = '' - chain input { - type filter hook input priority 0; policy drop; - - # Allow established/related connections - ct state established,related accept - - # Allow loopback - iifname "lo" accept - - # Allow LAN to access router - iifname ${cfg.interfaces.lan} accept - - # Allow ICMP from WAN (for ping) - iifname ${cfg.interfaces.wan} icmp type echo-request accept - - # Drop invalid connections - ct state invalid drop - } - - chain forward { - type filter hook forward priority 0; policy drop; - - # Allow established/related connections - ct state established,related accept - - # Allow LAN to WAN - iifname ${cfg.interfaces.lan} oifname ${cfg.interfaces.wan} accept - - # Drop invalid connections - ct state invalid drop - } - - chain output { - type filter hook output priority 0; policy accept; - } + # https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/ + networking = { + nftables.enable = true; + firewall = { + enable = true; + backend = "nftables"; # Set explicitly + + # Allow lan to access the router + trustedInterfaces = [ cfg.interfaces.lan ]; + + # Allow lan to access the internet + extraForwardRules = '' + iifname "${cfg.interfaces.lan}" oifname "${cfg.interfaces.wan}" accept ''; }; + nat = { + enable = true; + externalInterface = cfg.interfaces.wan; + internalInterfaces = [ cfg.interfaces.lan ]; + }; }; - networking.nat.enable = true; - networking.firewall.enable = true; }; } |