From e89afabdfb8a4ce9bef2644ace694a8ede6f06fa Mon Sep 17 00:00:00 2001
From: Sebastien Bourdeauducq <sb@m-labs.hk>
Date: Tue, 15 Oct 2019 19:42:26 +0800
Subject: [PATCH] nixbld: isolate wifi network. Closes #20

---
 nixbld-etc-nixos/configuration.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index 7e93eac..9335f50 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -55,6 +55,17 @@ in
       enable = true;
       externalInterface = netifWan;
       internalInterfaces = [ netifLan netifWifi ];
+      extraCommands = ''
+        iptables -w -N block-lan-from-wifi
+        iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
+        iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
+        iptables -w -A FORWARD -j block-lan-from-wifi
+      '';
+      extraStopCommands = ''
+        iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
+        iptables -w -F block-lan-from-wifi 2>/dev/null|| true
+        iptables -w -X block-lan-from-wifi 2>/dev/null|| true
+      '';
     };
     sits."${netifSit}" = {
       dev = netifWan;