configurations/nixos/configure/router: use nftables for NAT

commit bbc80c697e8344665c53e36a14c3335998fb97d4
parent a4b901f2881acd42f5e7c178a1bbca27da306c24
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 7 Mar 2025 11:42:34 +0100

configurations/nixos/configure/router: use nftables for NAT

2 files changed, 77 insertions(+), 66 deletions(-)

configurations/nixos/configure/router/ruleset.nft

142

+++++++++++++++++++++++++++++++++++++++++++------------------------------------

configurations/nixos/configure/router/systemd-networkd.nix

diff --git a/configurations/nixos/configure/router/ruleset.nft b/configurations/nixos/configure/router/ruleset.nft
@@ -1,69 +1,81 @@
 flush ruleset
 
 table inet firewall {
-    chain inbound {
-        # By default, drop all traffic unless it meets a filter
-        # criteria specified by the rules that follow below.
-        type filter hook input priority 0;
-        policy drop;
-
-        # Allow traffic from established and related packets.
-        ct state established,related accept
-
-        # Drop invalid packets.
-        ct state invalid drop
-
-        # Allow local connections.
-        iifname lo accept
-        iifname brlan accept
-
-        # Allow all ICMP and IGMP traffic, but enforce a rate limit
-        # to help prevent some types of flood attacks.
-        ip  protocol icmp      limit rate 5/second accept
-        ip  protocol igmp      limit rate 5/second accept
-        ip6 nexthdr  ipv6-icmp limit rate 5/second accept
-
-        # required for dhcp-pd to work!
-        udp dport dhcpv6-client accept
-
-        # Allow some ports
-        tcp dport ssh    accept
-        tcp dport http   accept
-        tcp dport https  accept
-        tcp dport 22000  accept comment "syncthing"
-        udp dport 21027  accept comment "syncthing"
-    }
-
-    chain forward {
-        # By default, drop all traffic unless it meets a filter
-        type filter hook forward priority 0;
-        policy drop;
-
-        tcp flags syn tcp option maxseg size set rt mtu
-
-        # Allow traffic from established and related packets.
-        ct state established,related accept
-
-        # Drop invalid packets.
-        ct state invalid drop
-
-        # local clients can do whatever
-        iifname brlan accept
-
-        # Allow all ICMP and IGMP traffic, but enforce a rate limit
-        # to help prevent some types of flood attacks.
-        ip  protocol icmp      limit rate 5/second accept
-        ip  protocol igmp      limit rate 5/second accept
-        ip6 nexthdr  ipv6-icmp limit rate 5/second accept
-
-        # drop incomming netbios traffic
-        tcp dport {139, 445} counter drop comment "silently drop NetBios"
-        udp dport {137, 138} counter drop comment "silently drop NetBios"
-    }
-
-    chain outbound {
-        # Allow all outbound traffic
-        type filter hook output priority 0
-        policy accept
-    }
+	chain inbound {
+		# By default, drop all traffic unless it meets a filter
+		# criteria specified by the rules that follow below.
+		type filter hook input priority 0;
+		policy drop;
+
+		# Allow traffic from established and related packets.
+		ct state established,related accept
+
+		# Drop invalid packets.
+		ct state invalid drop
+
+		# Allow local connections.
+		iifname lo accept
+		iifname brlan accept
+
+		# Allow all ICMP and IGMP traffic, but enforce a rate limit
+		# to help prevent some types of flood attacks.
+		ip  protocol icmp      limit rate 5/second accept
+		ip  protocol igmp      limit rate 5/second accept
+		ip6 nexthdr  ipv6-icmp limit rate 5/second accept
+
+		# required for dhcp-pd to work!
+		udp dport dhcpv6-client accept
+
+		# Allow some ports
+		tcp dport ssh    accept
+		tcp dport http   accept
+		tcp dport https  accept
+		tcp dport 22000  accept comment "syncthing"
+		udp dport 21027  accept comment "syncthing"
+	}
+
+	chain forward {
+		# By default, drop all traffic unless it meets a filter
+		type filter hook forward priority 0;
+		policy drop;
+
+		tcp flags syn tcp option maxseg size set rt mtu
+
+		# Allow traffic from established and related packets.
+		ct state established,related accept
+
+		# Drop invalid packets.
+		ct state invalid drop
+
+		# local clients can do whatever
+		iifname brlan accept
+
+		# Allow all ICMP and IGMP traffic, but enforce a rate limit
+		# to help prevent some types of flood attacks.
+		ip  protocol icmp      limit rate 5/second accept
+		ip  protocol igmp      limit rate 5/second accept
+		ip6 nexthdr  ipv6-icmp limit rate 5/second accept
+
+		# drop incomming netbios traffic
+		tcp dport {139, 445} counter drop comment "silently drop NetBios"
+		udp dport {137, 138} counter drop comment "silently drop NetBios"
+	}
+
+	chain outbound {
+		# Allow all outbound traffic
+		type filter hook output priority 0
+		policy accept
+	}
+}
+
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority -100
+		policy accept
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority srcnat + 1; policy accept;
+		ip saddr 10.0.0.0/8 masquerade;
+	}
 }

diff --git a/configurations/nixos/configure/router/systemd-networkd.nix b/configurations/nixos/configure/router/systemd-networkd.nix
@@ -133,7 +133,6 @@
         networkConfig = {
           ConfigureWithoutCarrier = true;
           IPv4Forwarding          = true;
-          IPMasquerade            = "ipv4";
 
           DHCPPrefixDelegation    = true;
           IPv6PrivacyExtensions   = false;