hosts: Replace iptables by nftables

modules/host.nix

@@ -58,13 +58,29 @@ let
         "${network.mashu}" = [ "mashu.local" ];
       };
 
-      firewall = {
+      nat.enable = false;
+      firewall.enable = false;
+      nftables = {
         enable = true;
-        extraCommands = lib.concatStringsSep "\n"
+
-          (map (item: "iptables -A INPUT --source ${item} -j ACCEPT")
+        ruleset = let
-            (with network; [
+          deviceIPString = lib.concatStringsSep "," (with network; [
-              miku nishimiya tamaki ayame mashu
+            miku nishimiya ayame tamaki mashu
-            ]));
+          ]);
+        in ''
+          table inet firewall {
+            chain input {
+              type filter hook input priority 0
+              policy drop
+
+              ct state { established, related } accept
+              iif lo accept
+
+              # Accept traffic from my devices
+              ip saddr { ${deviceIPString} } accept
+            }
+          }; 
+        '';
       };
     };