cleanup network config

2025-07-31 08:59:16 +02:00
parent 72fa80c977
commit 964131901a
2 changed files with 23 additions and 30 deletions
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@@ -29,6 +29,8 @@

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];

+  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
+
  swapDevices =
    [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
    ];
--- a/networking.nix
+++ b/networking.nix
@@ -5,42 +5,33 @@
    hostName = "Stormwind";
    networkmanager.enable = false;

-    nftables = {
-      enable = true;
-      ruleset = ''
-          table ip nat {
-            chain PREROUTING {
-              type nat hook prerouting priority dstnat; policy accept;
-              iifname "enp4s0" tcp dport 8123 dnat to 10.46.32.153:8123
-              iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80
-              iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443
-              iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20
-              iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21
-              iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22
-              iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223
-              iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990
-              iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989
-              iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445
-              iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111
-              iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111
-              iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049
-              iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049
-              iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765
-              iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765
-              iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768
-              iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768
-              iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048
-              iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048
-            }
-          }
-      '';
-    };

    firewall = {
      allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
      allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
+      trustedInterfaces = [ "incusbr0" ];
    };

+    # here’s the custom nftables filter ruleset for forwarded traffic:
+    nftables.ruleset = ''
+      table ip filter {
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+          # allow established/related replies
+          ct state established,related accept
+
+          # allow new+established VM→Internet
+          iifname "incusbr0" oifname "enp4s0" ct state new,established accept
+          iifname "incusbr1" oifname "enp4s0" ct state new,established accept
+
+          # allow natted replies
+          iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
+        }
+      }
+    '';
+
    bridges = {
      incusbr0 = {
        interfaces = [];