<Shados>
veths are quite handy. I use them in combination with network namespaces to funnel traffic for specific applications and daemons through specific tunnels.
Guanin has quit [Quit: Leaving]
mmlb39 has joined #nixos-on-your-router
mmlb3 has quit [Ping timeout: 245 seconds]
mmlb394 has joined #nixos-on-your-router
mmlb39 has quit [Ping timeout: 245 seconds]
mmlb3949 has joined #nixos-on-your-router
mmlb394 has quit [Ping timeout: 255 seconds]
mmlb39491 has joined #nixos-on-your-router
mmlb3949 has quit [Ping timeout: 245 seconds]
<gchristensen>
is there something special about NAT + UDP packets? I'm trying to NAT a UDP port from my router to an internal system, and have done it the same way I do 2 other TCP ports
<gchristensen>
hrm
<gchristensen>
okay so apparently I broke forwarding somehow and none of my ports forward like I thought
<clever>
gchristensen: check the journal and also the conntrack tables
<clever>
cat /proc/net/nf_conntrack
<clever>
that shows records with quads of ip and port, the source/dest ip/port on the internal, and external side
<clever>
and each record explains how to translate things to make it continue to pass thru NAT
<clever>
thats how the established rule in conntrack works
<gchristensen>
ohhh boy!
<gchristensen>
this sounds wonderful, I'll try this out as soon as I can :D
<clever>
DNAT and SNAT allow mutating packets before they enter the taable
<gchristensen>
a few months ago I changed my firewall rules to be automatically generated to block as much as possible, and I'm pretty sure I broke it there :)
<clever>
using the conntrack tables, you can work backwards from a connection to something, and see which LAN machine is responsible
<clever>
or just see what a given port is doing
<clever>
conntrack on udp can override iptables
<clever>
udp6 0 0 :::6991 :::* 9181/rtorrent
<clever>
as an example, my nas is listening on that port, lets just say its nixos ISO :P
<clever>
there are 268 lines in `grep 6991 /proc/net/nf_conntrack`, because of the DHT/p2p
<gchristensen>
I have a nearly identical record, also for nixos ISOs
<clever>
on the router, i see 233 records for the same grep
<clever>
but now, its showing a 192.168.2.11 -> 191.162.147.55 link for outbound (nas to pubip), but 191.162.147.55 -> 108.175.85.156 for the inbound!?
<clever>
that would be my public ip (the 108 one)
<clever>
NAT will then change the dest back to .2.11, and then forward it into the LAN
<clever>
and for outgoing, it changes the src, to appear to be my pubip
<clever>
but, it can also be messing with the ports on both ends
<clever>
all outgoing stuff must be on a unique port
<gchristensen>
hrm
<gchristensen>
I'm not sure that really tells me what I need to know
<clever>
if an entry for your udp port already exists, it may take priority over the iptables stuff
<clever>
try ceasing all traffic on that port until the list dies down to nothing
<gchristensen>
brb
<clever>
one of the columns is a ttl
qyliss has quit [Ping timeout: 258 seconds]
qyliss has joined #nixos-on-your-router
qyliss has quit [Read error: Connection reset by peer]
qyliss has joined #nixos-on-your-router
<gchristensen>
yikes
<gchristensen>
my firewall rules aren't all being applied
<cransom>
i remember having some issues when i tried to be clever with my rulesets. one of hte iptables command exited non 0 which aborted the rest of the script
<gchristensen>
good grief
<gchristensen>
also my iptables rule set gets longer and longer on each deploy since I don't always use the nixos-fw chain... :)
<cransom>
i defeated the monster by adding my own set +e at the beginning, but really, iptables really just sucks. i miss pf a lot. nftables is probably a winner but i don't know how things like fail2ban, miniupnpd, and (bleh) docker deal without iptables. it'd be more work i'm sure.
<gchristensen>
I'm wondering if my isp is blocking ports