haccfiles/parsons/nftables.nix

{ config, lib, pkgs, ... }:

{
  networking.firewall.enable = false;
  networking.nat.enable = false;
    boot = {
      kernelModules = [ "nf_nat_ftp" ];
      kernel.sysctl = {
        "net.ipv4.conf.all.forwarding" =  true;
        "net.ipv4.conf.default.forwarding" = true;
      };
    };

    networking.nftables = {
      enable = true;

      ruleset = ''
table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
    icmp type echo-request accept

    ct state invalid drop
    ct state established,related accept

    iifname { lo } accept

    tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept

    udp dport { 60000-61000, 64738 } accept


    

    # DHCPv6
    ip6 daddr fe80::/64 udp dport 546 accept

    

    counter
  }
  chain output {
    type filter hook output priority filter
    policy accept

    

    counter
  }
  chain forward {
    type filter hook forward priority filter
    policy accept

    

    

    counter
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority -100
    iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
  }
  chain postrouting {
    type nat hook postrouting priority 100
    iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
    
  }
}

    '';
  };
}