From ff2ded07e7a525b2e26fc5d87b8ee258af53be93 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sun, 17 Sep 2023 15:46:42 +0530 Subject: kay/networking: clean up --- hosts/kay/modules/router.nix | 17 +++++++---------- hosts/kay/modules/wireguard.nix | 15 +++++---------- 2 files changed, 12 insertions(+), 20 deletions(-) (limited to 'hosts') diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix index e390ded..cf748ce 100644 --- a/hosts/kay/modules/router.nix +++ b/hosts/kay/modules/router.nix @@ -11,7 +11,11 @@ let in { networking = { - nat.enable = true; + nat = { + enable = true; + externalInterface = wanInterface; + internalInterfaces = [ lanInterface ]; + }; useDHCP = false; interfaces."${lanInterface}" = { ipv4.addresses = [{ @@ -20,17 +24,10 @@ in }]; }; firewall = { + allowedUDPPorts = [ 53 67 ]; + allowedTCPPorts = [ 53 ]; extraCommands = '' - # nat datagrams comming through lanInterface to wanInterface iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE - - # allow all traffic on lanInterface interface - iptables -I INPUT 1 -i ${lanInterface} -j ACCEPT - - # forward rules - iptables -I FORWARD 1 -i ${lanInterface} -o ${lanInterface} -j ACCEPT - iptables -I FORWARD 1 -i ${wanInterface} -o ${lanInterface} -j ACCEPT - iptables -I FORWARD 1 -i ${lanInterface} -o ${wanInterface} -j ACCEPT ''; }; }; diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix index 4839280..efafdcb 100644 --- a/hosts/kay/modules/wireguard.nix +++ b/hosts/kay/modules/wireguard.nix @@ -11,20 +11,15 @@ in sops.secrets."misc/wireguard" = {}; networking = { - nat.enable = true; + nat = { + enable = true; + externalInterface = wanInterface; + internalInterfaces = [ wgInterface ]; + }; firewall = { allowedUDPPorts = [ port ]; extraCommands = '' - # nat datagrams comming through lanInterface to wanInterface iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE - - # allow all traffic on lanInterface interface - iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT - - # forward rules - iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT - iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT - iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT ''; }; -- cgit v1.2.3