From 5306b361814c65c9cd16c56f04da5a9e78d7855d Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Wed, 28 Jun 2023 23:51:37 +0100 Subject: [PATCH] ipv4 nat rules --- examples/rotuer-firewall.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/examples/rotuer-firewall.nix b/examples/rotuer-firewall.nix index 249d392..f2a4308 100644 --- a/examples/rotuer-firewall.nix +++ b/examples/rotuer-firewall.nix @@ -143,4 +143,28 @@ in { # "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22" ]; }; + + nat-tx = { + type = "nat"; + hook = "postrouting"; + priority = "100"; + policy = "accept"; + family = "ip"; + rules = [ + "oifname \"ppp0\" masquerade" + ]; + }; + nat-rx = { + type = "nat"; + hook = "prerouting"; + priority = "-100"; + family = "ip"; + policy = "accept"; + rules = [ + # per https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_nat_using_nftables: + # "Even if you do not add a rule to the prerouting chain, the + # nftables framework requires this chain to match incoming + # packet replies. " + ]; + }; }