From ff2ded07e7a525b2e26fc5d87b8ee258af53be93 Mon Sep 17 00:00:00 2001
From: sinanmohd <sinan@sinanmohd.com>
Date: Sun, 17 Sep 2023 15:46:42 +0530
Subject: kay/networking: clean up

---
 hosts/kay/modules/router.nix    | 17 +++++++----------
 hosts/kay/modules/wireguard.nix | 15 +++++----------
 2 files changed, 12 insertions(+), 20 deletions(-)

(limited to 'hosts')

diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix
index e390ded..cf748ce 100644
--- a/hosts/kay/modules/router.nix
+++ b/hosts/kay/modules/router.nix
@@ -11,7 +11,11 @@ let
 in
 {
   networking = {
-    nat.enable = true;
+    nat = {
+      enable = true;
+      externalInterface = wanInterface;
+      internalInterfaces = [ lanInterface ];
+    };
     useDHCP = false;
     interfaces."${lanInterface}" = {
       ipv4.addresses = [{ 
@@ -20,17 +24,10 @@ in
       }];
     };
     firewall = {
+      allowedUDPPorts = [ 53 67 ];
+      allowedTCPPorts = [ 53 ];
       extraCommands = ''
-        # nat datagrams comming through lanInterface to wanInterface
         iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
-
-        # allow all traffic on lanInterface interface
-        iptables -I INPUT 1 -i ${lanInterface} -j ACCEPT
-
-        # forward rules
-        iptables -I FORWARD 1 -i ${lanInterface} -o ${lanInterface} -j ACCEPT
-        iptables -I FORWARD 1 -i ${wanInterface} -o ${lanInterface} -j ACCEPT
-        iptables -I FORWARD 1 -i ${lanInterface} -o ${wanInterface} -j ACCEPT
       '';
     };
   };
diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix
index 4839280..efafdcb 100644
--- a/hosts/kay/modules/wireguard.nix
+++ b/hosts/kay/modules/wireguard.nix
@@ -11,20 +11,15 @@ in
   sops.secrets."misc/wireguard" = {};
 
   networking = {
-    nat.enable = true;
+    nat = {
+      enable = true;
+      externalInterface = wanInterface;
+      internalInterfaces = [ wgInterface ];
+    };
     firewall = {
       allowedUDPPorts = [ port ];
       extraCommands = ''
-        # nat datagrams comming through lanInterface to wanInterface
         iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
-
-        # allow all traffic on lanInterface interface
-        iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT
-
-        # forward rules
-        iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT
-        iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT
-        iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT
       '';
     };
 
-- 
cgit v1.2.3