hosts: Replace iptables by nftables

2021-09-11 20:38:34 +02:00 · 2021-09-11 20:38:34 +02:00 · 06a4a0fdf2
commit 06a4a0fdf2
parent fc46741249
1 changed files with 22 additions and 6 deletions
--- a/modules/host.nix
+++ b/modules/host.nix
@ -58,13 +58,29 @@ let
        "${network.mashu}" = [ "mashu.local" ];
      };

-      firewall = {
+      nat.enable = false;
+      firewall.enable = false;
+      nftables = {
        enable = true;
-        extraCommands = lib.concatStringsSep "\n"
-          (map (item: "iptables -A INPUT --source ${item} -j ACCEPT")
-            (with network; [
-              miku nishimiya tamaki ayame mashu
-            ]));
+
+        ruleset = let
+          deviceIPString = lib.concatStringsSep "," (with network; [
+            miku nishimiya ayame tamaki mashu
+          ]);
+        in ''
+          table inet firewall {
+            chain input {
+              type filter hook input priority 0
+              policy drop
+
+              ct state { established, related } accept
+              iif lo accept
+
+              # Accept traffic from my devices
+              ip saddr { ${deviceIPString} } accept
+            }
+          }; 
+        '';
      };
    };