magpie/networking: iptables -> nftables

magpie/configuration.nix

@@ -333,24 +333,28 @@
   };
 
   networking.hostName = "magpie";
+  networking.firewall = {
+    nftables.enable = true;
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      587
+      2049
+    ]; # http, mail, mail, nfs
+    allowedUDPPorts = [
+      443
+      51820
+    ]; # mail, wireguard
+    allowPing = true;
+    logRefusedConnections = lib.mkDefault false;
+  };
 
-  networking.firewall.enable = true;
+  networking.nat = {
-  networking.firewall.allowedTCPPorts = [
+    enable = true;
-    80
+    externalInterface = "enp1s0";
-    443
+    internalInterfaces = [ "wg0" ];
-    587
+  };
-    2049
-  ]; # http, mail, mail, nfs
-  networking.firewall.allowedUDPPorts = [
-    443
-    51820
-  ]; # mail, wireguard
-  networking.firewall.allowPing = true;
-  networking.firewall.logRefusedConnections = lib.mkDefault false;
-
-  networking.nat.enable = true;
-  networking.nat.externalInterface = "enp1s0";
-  networking.nat.internalInterfaces = [ "wg0" ];
 
   networking.networkmanager.enable = true;
   networking.wireless.enable = false;
@@ -363,11 +367,11 @@
       # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
       # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
       postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft add rule ip nat POSTROUTING oifname "eth0" ip saddr 10.100.0.0/24 counter masquerade
       '';
-      # This undoes the above command
+      # This undoes the above command, TODO fix command below to be more specific
       postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft flush table ip nat
       '';
       privateKeyFile = config.sops.secrets."wg_privkey".path;