3 files changed, 20 insertions, 14 deletions

diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/hurricane.nix
index 9aaf1d1..511b213 100644
--- a/os/kay/modules/hurricane.nix
+++ b/os/kay/modules/hurricane.nix
@@ -42,8 +42,12 @@ in
       rttablesExtraConfig = "200 hurricane";
     };
 
-    firewall.extraCommands =
+    firewall = {
+      extraCommands =
       "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT";
+      extraStopCommands =
+      "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT";
+    };
   };
 
   sops.secrets = {
diff --git a/os/kay/modules/router.nix b/os/kay/modules/router.nix
index 5b0bda8..2e01789 100644
--- a/os/kay/modules/router.nix
+++ b/os/kay/modules/router.nix
@@ -43,13 +43,23 @@ in {
       allowedUDPPorts = [ 53 67 ];
       allowedTCPPorts = [ 53 ];
       extraCommands = ''
-        iptables -t nat -I POSTROUTING 1 \
-            -s ${subnet}/${toString prefix} \
-            -o ${wanInterface} \
-            -j MASQUERADE
         iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
             -o ${wanInterface} \
             -j TCPMSS --clamp-mss-to-pmtu
+
+        iptables -N inetfilter
+        iptables -A inetfilter -s 192.168.43.124/32 -m mac --mac-source 08:02:3c:d4:d9:f2 -j ACCEPT
+        iptables -A inetfilter -s 192.168.43.119/32 -m mac --mac-source a8:93:4a:50:c8:b3 -j ACCEPT
+        iptables -A inetfilter -j DROP
+        iptables -I FORWARD -i lan -o ppp0 -j inetfilter
+      '';
+      extraStopCommands = ''
+        iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN \
+            -o ${wanInterface} \
+            -j TCPMSS --clamp-mss-to-pmtu
+
+        iptables -w -t filter -F inetfilter
+        iptables -w -t filter -X inetfilter
       '';
     };
   };
diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix
index 4256dd3..21cec06 100644
--- a/os/kay/modules/wireguard.nix
+++ b/os/kay/modules/wireguard.nix
@@ -52,16 +52,8 @@ in {
       externalInterface = wanInterface;
       internalInterfaces = [ wgInterface ];
     };
-    firewall = {
-      allowedUDPPorts = [ port ];
-      extraCommands = ''
-        iptables -t nat -I POSTROUTING 1 \
-            -s ${subnet}/${toString prefix} \
-            -o ${wanInterface} \
-            -j MASQUERADE
-      '';
-    };
 
+    firewall.allowedUDPPorts = [ port ];
     wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf;
   };