<Shados> veths are quite handy. I use them in combination with network namespaces to funnel traffic for specific applications and daemons through specific tunnels.
Guanin has quit [Quit: Leaving]
mmlb39 has joined #nixos-on-your-router
mmlb3 has quit [Ping timeout: 245 seconds]
mmlb394 has joined #nixos-on-your-router
mmlb39 has quit [Ping timeout: 245 seconds]
mmlb3949 has joined #nixos-on-your-router
mmlb394 has quit [Ping timeout: 255 seconds]
mmlb39491 has joined #nixos-on-your-router
mmlb3949 has quit [Ping timeout: 245 seconds]
<gchristensen> is there something special about NAT + UDP packets? I'm trying to NAT a UDP port from my router to an internal system, and have done it the same way I do 2 other TCP ports
<gchristensen> hrm
<gchristensen> okay so apparently I broke forwarding somehow and none of my ports forward like I thought
<clever> gchristensen: check the journal and also the conntrack tables
<clever> cat /proc/net/nf_conntrack
<clever> that shows records with quads of ip and port, the source/dest ip/port on the internal, and external side
<clever> and each record explains how to translate things to make it continue to pass thru NAT
<clever> thats how the established rule in conntrack works
<gchristensen> ohhh boy!
<gchristensen> this sounds wonderful, I'll try this out as soon as I can :D
<clever> DNAT and SNAT allow mutating packets before they enter the taable
<gchristensen> a few months ago I changed my firewall rules to be automatically generated to block as much as possible, and I'm pretty sure I broke it there :)
<clever> using the conntrack tables, you can work backwards from a connection to something, and see which LAN machine is responsible
<clever> or just see what a given port is doing
<clever> conntrack on udp can override iptables
<clever> udp6 0 0 :::6991 :::* 9181/rtorrent
<clever> as an example, my nas is listening on that port, lets just say its nixos ISO :P
<clever> there are 268 lines in `grep 6991 /proc/net/nf_conntrack`, because of the DHT/p2p
<gchristensen> I have a nearly identical record, also for nixos ISOs
<clever> on the router, i see 233 records for the same grep
<clever> ipv4 2 udp 17 89 src= dst= sport=6991 dport=42373 src= dst= sport=42373 dport=6991 [ASSURED] mark=0 use=2
<clever> but now, its showing a -> link for outbound (nas to pubip), but -> for the inbound!?
<clever> that would be my public ip (the 108 one)
<clever> NAT will then change the dest back to .2.11, and then forward it into the LAN
<clever> and for outgoing, it changes the src, to appear to be my pubip
<clever> but, it can also be messing with the ports on both ends
<clever> all outgoing stuff must be on a unique port
<gchristensen> hrm
<gchristensen> I'm not sure that really tells me what I need to know
<clever> if an entry for your udp port already exists, it may take priority over the iptables stuff
<clever> try ceasing all traffic on that port until the list dies down to nothing
<gchristensen> brb
<clever> one of the columns is a ttl
qyliss has quit [Ping timeout: 258 seconds]
qyliss has joined #nixos-on-your-router
qyliss has quit [Read error: Connection reset by peer]
qyliss has joined #nixos-on-your-router
<gchristensen> yikes
<gchristensen> my firewall rules aren't all being applied
<cransom> i remember having some issues when i tried to be clever with my rulesets. one of hte iptables command exited non 0 which aborted the rest of the script
<gchristensen> good grief
<gchristensen> also my iptables rule set gets longer and longer on each deploy since I don't always use the nixos-fw chain... :)
<cransom> i defeated the monster by adding my own set +e at the beginning, but really, iptables really just sucks. i miss pf a lot. nftables is probably a winner but i don't know how things like fail2ban, miniupnpd, and (bleh) docker deal without iptables. it'd be more work i'm sure.
<gchristensen> I'm wondering if my isp is blocking ports
<gchristensen> no
<gchristensen> just incompetent :)
lopsided98_ has joined #nixos-on-your-router
lopsided98 has quit [Ping timeout: 252 seconds]
<gchristensen> https://i.pinimg.com/originals/6f/73/ba/6f73ba53bb3d091c94ec06c5247d500d.png I should have looked this up ages ago
<gchristensen> oh for fucks sake
<gchristensen> I was testing it from within my network
<gchristensen> ie: asking for what I think is called hairpin routing