From 60903e955fb0102a03a751288ac68ef59f3df567 Mon Sep 17 00:00:00 2001
From: Egor Savkin <es@m-labs.hk>
Date: Thu, 10 Oct 2024 12:37:15 +0800
Subject: [PATCH] Stop rejecting packages from the tunnel

Appears that firewall rejects packages before they are getting unwrapped to GRE

Signed-off-by: Egor Savkin <es@m-labs.hk>
---
 nixbld-etc-nixos/configuration.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index 07f6d33..e358601 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -92,8 +92,14 @@ in
     firewall = {
       allowedTCPPorts = [ 53 80 443 2222 7402 ];
       allowedUDPPorts = [ 53 67 500 4500 ];
-      trustedInterfaces = [ netifLan netifUSA ];
+      trustedInterfaces = [ netifLan ];
       logRefusedConnections = false;
+      extraCommands = ''
+        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
+        iptables -A OUTPUT -d 5.78.86.156 -p gre -j ACCEPT
+        iptables -A OUTPUT -d 5.78.86.156 -p ah -j ACCEPT
+      '';
     };
     useDHCP = false;
     interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off