From 6079e6446c1c1ddbe6fcc4b7f3d41a7659b06788 Mon Sep 17 00:00:00 2001
From: Danilo Reyes <danilo.reyes.251@proton.me>
Date: Thu, 5 Feb 2026 17:49:11 -0600
Subject: [PATCH] working version firewall

---
 hosts/vps/configuration.nix | 127 ++++++++++++++++++------------------
 1 file changed, 64 insertions(+), 63 deletions(-)

diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index e908a76..8d807da 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -4,6 +4,24 @@
   inputs,
   ...
 }:
+let
+  externalInterface = config.my.interfaces.${config.networking.hostName};
+  homeServer = config.my.ips.wg-server;
+  wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
+  wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
+  wgServerSubnet = "10.77.0.0/24";
+  wgFriend1 = config.my.ips.wg-friend1;
+  wgFriend2 = config.my.ips.wg-friend2;
+  wgFriend3 = config.my.ips.wg-friend3;
+  wgFriend4 = config.my.ips.wg-friend4;
+  giteaSshPort = 22;
+  giteaSshPortStr = toString giteaSshPort;
+  syncthingPort = toString 22000;
+  synapseFederationPort = toString 8448;
+  synapseClientPort = toString config.my.servers.synapse.port;
+  syncplayPort = toString config.my.servers.syncplay.port;
+  stashPort = toString config.my.servers.stash.port;
+in
 {
   imports = [
     ./hardware-configuration.nix
@@ -24,73 +42,56 @@
   networking.hostName = "vps";
   services.smartd.enable = lib.mkForce false;
   environment.systemPackages = [ ];
-  networking.firewall =
-    let
-      externalInterface = config.my.interfaces.${config.networking.hostName};
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    filterForward = true;
+    checkReversePath = "loose";
+    allowedTCPPorts = [
+      80
+      443
+      3456
+    ];
+    allowedUDPPorts = [ 51820 ];
+    extraForwardRules = ''
+      iifname "wg0" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
 
-      homeServer = config.my.ips.wg-server;
-      wgSubnet = "${config.my.ips.wg-s}/24";
-      wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
-      wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
-      wgFriend1 = config.my.ips.wg-friend1;
-      wgFriend2 = config.my.ips.wg-friend2;
-      wgFriend3 = config.my.ips.wg-friend3;
-      wgFriend4 = config.my.ips.wg-friend4;
+      iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
 
-      giteaSshPort = toString 22;
-      syncthingPort = toString 22000;
-      synapseFederationPort = toString 8448;
-      synapseClientPort = toString config.my.servers.synapse.port;
-      syncplayPort = toString config.my.servers.syncplay.port;
-      stashPort = toString config.my.servers.stash.port;
-    in
-    {
-      enable = true;
-      allowedTCPPorts = [
-        80
-        443
-        3456
-      ];
-      allowedUDPPorts = [ 51820 ];
-      extraForwardRules = ''
-        ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
-        ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
+      iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
+      iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
+      iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
 
-        ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
+      iifname "wg0" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
+      iifname "wg0" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
 
-        ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
-        ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} icmp type echo-reply accept
-
-        ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-        ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
-        ip saddr ${homeServer}/32 ip daddr ${wgGuestsSubnet} icmp type echo-reply accept
-
-        ip saddr ${wgFriendsSubnet} ip daddr ${wgSubnet} drop
-        ip saddr ${wgSubnet} ip daddr ${wgFriendsSubnet} drop
-        ip saddr ${wgGuestsSubnet} ip daddr ${wgSubnet} drop
-        ip saddr ${wgSubnet} ip daddr ${wgGuestsSubnet} drop
-        ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
-        ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
-      '';
-      extraCommands = ''
-        iptables -t nat -A PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort}
-        iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE
-        iptables -t nat -A POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE
-        iptables -t nat -A POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE
-      '';
-      extraStopCommands = ''
-        iptables -t nat -D PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} || true
-        iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE || true
-        iptables -t nat -D POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE || true
-        iptables -t nat -D POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE || true
-      '';
-    };
+      ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
+      ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
+      ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
+      ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
+      ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
+      ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
+    '';
+  };
+  networking.nat = {
+    enable = true;
+    inherit externalInterface;
+    internalInterfaces = [ "wg0" ];
+    forwardPorts = [
+      {
+        sourcePort = giteaSshPort;
+        proto = "tcp";
+        destination = "${homeServer}:${giteaSshPortStr}";
+      }
+    ];
+  };
   security.sudo-rs.extraRules = [
     {
       users = [ "nixremote" ];