From a624cbcfd1d2f87cab3b2a512850f4ce1aaed6e5 Mon Sep 17 00:00:00 2001
From: Asmir A <asmir.abdulahovic@gmail.com>
Date: Mon, 10 Feb 2025 15:15:44 +0100
Subject: [PATCH] magpie/networking: iptables -> nftables

---
 magpie/configuration.nix | 44 ++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/magpie/configuration.nix b/magpie/configuration.nix
index a686453..9343bab 100644
--- a/magpie/configuration.nix
+++ b/magpie/configuration.nix
@@ -333,24 +333,28 @@
   };
 
   networking.hostName = "magpie";
+  networking.firewall = {
+    nftables.enable = true;
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      587
+      2049
+    ]; # http, mail, mail, nfs
+    allowedUDPPorts = [
+      443
+      51820
+    ]; # mail, wireguard
+    allowPing = true;
+    logRefusedConnections = lib.mkDefault false;
+  };
 
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-    587
-    2049
-  ]; # http, mail, mail, nfs
-  networking.firewall.allowedUDPPorts = [
-    443
-    51820
-  ]; # mail, wireguard
-  networking.firewall.allowPing = true;
-  networking.firewall.logRefusedConnections = lib.mkDefault false;
-
-  networking.nat.enable = true;
-  networking.nat.externalInterface = "enp1s0";
-  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.nat = {
+    enable = true;
+    externalInterface = "enp1s0";
+    internalInterfaces = [ "wg0" ];
+  };
 
   networking.networkmanager.enable = true;
   networking.wireless.enable = false;
@@ -363,11 +367,11 @@
       # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
       # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
       postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft add rule ip nat POSTROUTING oifname "eth0" ip saddr 10.100.0.0/24 counter masquerade
       '';
-      # This undoes the above command
+      # This undoes the above command, TODO fix command below to be more specific
       postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft flush table ip nat
       '';
       privateKeyFile = config.sops.secrets."wg_privkey".path;