{ config, lib, pkgs, ... }: let cfg = config.networking.firewall; mkPorts = ports: ranges: lib.strings.concatStringsSep ", " (map ({from, to}: "${toString from}-${toString to}") ranges ++ map toString ports); in { networking.firewall.enable = false; networking.nat.enable = false; boot = { kernelModules = [ "nf_nat_ftp" ]; kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.forwarding" = true; }; }; networking.nftables = { enable = true; ruleset = '' table inet filter { chain input { type filter hook input priority filter policy drop icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept icmp type echo-request accept ct state invalid drop ct state established,related accept iifname { lo } accept tcp dport { ${mkPorts cfg.allowedTCPPorts cfg.allowedTCPPortRanges} } accept udp dport { ${mkPorts cfg.allowedUDPPorts cfg.allowedUDPPortRanges} } accept # DHCPv6 ip6 daddr fe80::/64 udp dport 546 accept counter } chain output { type filter hook output priority filter policy accept counter } chain forward { type filter hook forward priority filter policy accept counter } } table ip nat { chain prerouting { type nat hook prerouting priority -100 iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22 } chain postrouting { type nat hook postrouting priority 100 iifname lxcbr0 oifname enp35s0 masquerade iifname ve-* oifname enp35s0 masquerade } } ''; }; }