From 09b5a6d69c3765b11dd748092c402651e5eea307 Mon Sep 17 00:00:00 2001
From: Daniel Flanagan <daniel@lyte.dev>
Date: Sun, 11 Jul 2021 00:34:29 -0500
Subject: [PATCH] Just need IPv6

---
 eth0.network  |  6 ++--
 lan0.network  |  6 +++-
 link.fish     |  2 +-
 nftables.conf | 78 ++++++++++++++++++++++++++-------------------------
 4 files changed, 50 insertions(+), 42 deletions(-)

diff --git a/eth0.network b/eth0.network
index 15198ca..057de6c 100644
--- a/eth0.network
+++ b/eth0.network
@@ -4,5 +4,7 @@ Name=eth0
 
 [Network]
 DHCP=yes
-Gateway=0.0.0.0/1
-IPForward=yes
+IPForward=ipv4
+
+IPv6AcceptRA=yes
+IPv6PrivacyExtensions=kernel
diff --git a/lan0.network b/lan0.network
index 9d3de64..37adb07 100644
--- a/lan0.network
+++ b/lan0.network
@@ -4,5 +4,9 @@ Name=lan0
 
 [Network]
 Address=10.0.0.1/24
-IPForward=yes
 IPMasquerade=ipv4
+
+IPv6SendRA=yes
+
+# [IPv6PrefixDelegation]
+# RouterLifetimeSec=3600
diff --git a/link.fish b/link.fish
index f9584da..b6371a4 100755
--- a/link.fish
+++ b/link.fish
@@ -1,7 +1,7 @@
 #!/usr/bin/env fish
 
 function rmlink
-	rm -f $argv[1]
+	rm -f $argv[2]
 	ezln $argv[1] $argv[2]
 end
 
diff --git a/nftables.conf b/nftables.conf
index 3723291..7d3d3ff 100644
--- a/nftables.conf
+++ b/nftables.conf
@@ -1,21 +1,25 @@
 define WAN = eth0
 define LAN = lan0
 
+define ROUTER_TCP_PORTS = { 22 }
+define ROUTER_UDP_PORTS = { 546, 53, 67 }
+define ROUTER_INET_PORTS = { 546, 53, 67 }
 define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
-# define FACELESS_UDP_PORTS = 60000-60009
+# define FACELESS_UDP_PORTS = { }
 define DRAGON_TCP_PORTS = { 2221 }
-# define DRAGON_UDP_PORTS = 60020-60029
+# define DRAGON_UDP_PORTS = { }
 
 table inet filter {
 	chain input {
 		type filter hook input priority filter; policy accept;
 		iifname "lo" accept
+        icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query} accept
 		ct state { established, related } accept
 		ct state invalid drop
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
-		tcp dport { 22 } accept
-		udp dport { 546, 53, 67 } accept
+		tcp dport $ROUTER_TCP_PORTS accept
+		udp dport $ROUTER_UDP_PORTS accept
 		drop
 	}
 
@@ -39,17 +43,15 @@ table ip nat {
     chain prerouting {
         type nat hook prerouting priority -100; policy accept;
 
-        # ip daddr 10.0.0.1 tcp dport ( 2221 ) dnat to 10.0.0.5:22
-        # ip daddr 10.0.0.1 udp dport ( 60020 ) dnat to 10.0.0.5:60020
-        # ip daddr 10.0.0.1 udp dport ( 60021 ) dnat to 10.0.0.5:60021
+        # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.10
 
-        # ip daddr 10.0.0.1 tcp dport ( 80 ) dnat to 10.0.0.10:80
-        # ip daddr 10.0.0.1 tcp dport ( 443 ) dnat to 10.0.0.10:443
-        # ip daddr 10.0.0.1 tcp dport ( 2222 ) dnat to 10.0.0.10:2222
-        # ip daddr 10.0.0.1 tcp dport ( 2200 ) dnat to 10.0.0.10:22
+        iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.10
+        # iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.10
+        iifname $WAN udp dport 60000-60009 dnat to 10.0.0.10
 
-        iifname $WAN tcp dport { 443, 80 } dnat to 10.0.0.10
-        # iifname "lan0" tcp dport { 443, 80 } dnat to 10.0.0.10
+        iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.5
+        # iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.5
+        iifname $WAN udp dport 60020-60029 dnat to 10.0.0.5
     }
 }
 
@@ -85,28 +87,28 @@ table ip io.systemd.nat {
 }
 
 # nat ipv6 for lan (probably unnecessary?)
-table ip6 io.systemd.nat {
-	set masq_saddr {
-		type ipv6_addr
-		flags interval
-	}
-
-	map map_port_ipport {
-		type inet_proto . inet_service : ipv6_addr . inet_service
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority dstnat + 1; policy accept;
-		fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
-	}
-
-	chain output {
-		type nat hook output priority -99; policy accept;
-		ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
-	}
-
-	chain postrouting {
-		type nat hook postrouting priority srcnat + 1; policy accept;
-		ip6 saddr @masq_saddr masquerade
-	}
-}
+# table ip6 io.systemd.nat {
+# 	set masq_saddr {
+# 		type ipv6_addr
+# 		flags interval
+# 	}
+# 
+# 	map map_port_ipport {
+# 		type inet_proto . inet_service : ipv6_addr . inet_service
+# 	}
+# 
+# 	chain prerouting {
+# 		type nat hook prerouting priority dstnat + 1; policy accept;
+# 		fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
+# 	}
+# 
+# 	chain output {
+# 		type nat hook output priority -99; policy accept;
+# 		ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
+# 	}
+# 
+# 	chain postrouting {
+# 		type nat hook postrouting priority srcnat + 1; policy accept;
+# 		ip6 saddr @masq_saddr masquerade
+# 	}
+# }