{ config, lib, pkgs, ... }: { networking = { firewall = { allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP ]; allowedUDPPorts = [ 3478 # Headscale DERP UDP ]; }; nftables = { enable = true; ruleset = '' table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; iifname "enp0s4" tcp dport 80 dnat to 10.100.0.2:80; # HTTP iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp) iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp) } } ''; }; nat = { enable = true; internalInterfaces = [ "enp0s4" ]; externalInterface = "wireguard0"; forwardPorts = [ { destination = "10.100.0.2:80"; proto = "tcp"; sourcePort = 80; } # HTTP { destination = "10.100.0.2:443"; proto = "tcp"; sourcePort = 443; } # HTTPS { destination = "10.100.0.2:42420"; proto = "tcp"; sourcePort = 42420; } # Vintage Story { destination = "10.100.0.2:25565"; proto = "tcp"; sourcePort = 25565; } # Minecraft { destination = "10.100.0.2:1443"; proto = "tcp"; sourcePort = 1443; } # Headscale DERP (tcp) { destination = "10.100.0.2:3478"; proto = "udp"; sourcePort = 3478; } # Headscale DERP (udp) ]; }; }; }