1 files changed, 46 insertions, 1 deletions

diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix
index 9b9286d..5bea211 100644
--- a/sys/net/interfaces.nix
+++ b/sys/net/interfaces.nix
@@ -17,6 +17,13 @@ in
   };
 
   config = mkIf cfg.enable {
+    boot.kernel.sysctl = {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+      "net.ipv6.conf.default.forwarding" = true;
+    };
+
     environment.systemPackages = with pkgs; [
       conntrack-tools
       dhcpcd
@@ -30,7 +37,45 @@ in
       domain = mkDefault config.local.domains.host.main;
       hostName = cfg.hostname;
 
-      firewall.logRefusedConnections = false;
+      firewall = {
+        extraCommands = mkBefore ''
+          ip46tables -t filter -P INPUT   DROP
+          ip46tables -t filter -P FORWARD ACCEPT #TODO: DROP
+
+          ip46tables -t filter -N local-input
+          ip46tables -t filter -N local-forward
+          ip46tables -t nat    -N local-prerouting
+          ip46tables -t nat    -N local-postrouting
+
+          ip46tables -t filter -I INPUT       -j local-input
+          ip46tables -t filter -I FORWARD     -j local-forward
+          ip46tables -t nat    -I PREROUTING  -j local-prerouting
+          ip46tables -t nat    -I POSTROUTING -j local-postrouting
+
+          ip46tables -t filter -A local-forward -m conntrack --ctstate RELATED,ESTABLISHED,SNAT,DNAT -j ACCEPT
+        '';
+
+        extraStopCommands = mkAfter ''
+          ip46tables -t filter -D INPUT       -j local-input       || true
+          ip46tables -t filter -D FORWARD     -j local-forward     || true
+          ip46tables -t nat    -D PREROUTING  -j local-prerouting  || true
+          ip46tables -t nat    -D POSTROUTING -j local-postrouting || true
+
+          ip46tables -t filter -F local-input       || true
+          ip46tables -t filter -X local-input       || true
+          ip46tables -t filter -F local-forward     || true
+          ip46tables -t filter -X local-forward     || true
+          ip46tables -t nat    -F local-prerouting  || true
+          ip46tables -t nat    -X local-prerouting  || true
+          ip46tables -t nat    -F local-postrouting || true
+          ip46tables -t nat    -X local-postrouting || true
+
+          ip46tables -t filter -P INPUT   ACCEPT
+          ip46tables -t filter -P FORWARD ACCEPT
+        '';
+
+        logRefusedConnections = false;
+      };
 
       useDHCP = false;
       enableIPv6 = mkDefault true;