#nixos-on-your-router on 2021-04-25

2019-08-19 13:17 eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router

00:46 <hexa-> thanks everyone!

02:58 syhn has joined #nixos-on-your-router

03:49 siraben has quit [Changing host]

03:49 siraben has joined #nixos-on-your-router

17:45 <eyJhb> Am I doing something obvious wrong here? https://termbin.com/33c3 ifUplink is enp7s0, which is my public interface on my server. I just want to redirect traffic from port

17:45 <eyJhb> 9091, to the veth 10.100.0.12

17:45 <eyJhb> Which is inside a namespace :) I can curl 10.100.0.12:9091 from my server, but the DNAT does not seem to work

18:33 <NinjaTrappeur> Do you have a route in your netns pointing back to your server via 10.100.0.12?

18:34 <NinjaTrappeur> Your dnat does not seem wrong to me. I'd not trust myself though, better try to tcpdump just to make sure the dnat indeed works ;)

18:39 <eyJhb> NinjaTrappeur: I hadn't enabled ip_forward... :/ So now I can get stuff INTO my namespace, but I cannot get it out again (curl on the root namespace works fine) - https://termbin.com/b3ot

18:46 <NinjaTrappeur> ip netns exec $yourns route get 192.168.1.226

18:47 <NinjaTrappeur> I think you miss the route back home

18:51 mvnetbiz_ has quit [Ping timeout: 245 seconds]

18:51 thefloweringash has quit [Ping timeout: 245 seconds]

18:52 n0emis[m] has quit [Ping timeout: 245 seconds]

18:52 <eyJhb> NinjaTrappeur: I have tried to add it, as can be seen here - https://termbin.com/w7qm and there is also the result of that command line :)

18:53 n0emis[m] has joined #nixos-on-your-router

18:54 mvnetbiz_ has joined #nixos-on-your-router

18:54 thefloweringash has joined #nixos-on-your-router

18:59 <NinjaTrappeur> I don't get it, sorry (I don't use ns that much, I might be missing something obvious).

18:59 <NinjaTrappeur> I assume you can't ping 192.168.1.226 from the ns, even with the route right?

19:00 <eyJhb> Nope, not able to. And I am in the same boat, but only knowing even less about ns :p

19:00 <NinjaTrappeur> :)

19:00 <NinjaTrappeur> Please write the solution here when you find it, I'm hooked now :)

19:06 <eyJhb> NinjaTrappeur: I am so close to just doing a ssh local connection each time I need it :p

19:08 <NinjaTrappeur> I'm wondering how nftables is considering the return packet. Is it handled by a output chain type or a forward one?

19:09 <NinjaTrappeur> you're not setting any policy nor accepting anything on your forward chain.

19:09 <eyJhb> I could just do a policy accept and test?

19:10 <NinjaTrappeur> (since you're route seems to be alright, my gut feeling is that something along the way eats your delicious data. By elemination, it's either the firewall, either some ns magic)

19:10 <NinjaTrappeur> yup

19:10 <NinjaTrappeur> *your route

19:10 <eyJhb> No dice :(

19:12 <eyJhb> Shouldn't I be able to combine DNAT/SNAT together? ie. it would be ideal if it changes the ip from the incoming ip, to 10.100.0.11, and then goes into the veth, which will then know how to handle the route, etc.

19:18 <NinjaTrappeur> I guess you could. But conceptually, I don't understand what blocks us.

19:19 <NinjaTrappeur> Maybe something to do with the firewall config of your veth's ns?

19:20 <NinjaTrappeur> gotta go. Ping me if you find the solution :)

19:20 <eyJhb> Shouldn't be any firewall :/

19:20 <eyJhb> Will do NinjaTrappeur :p

19:21 <eyJhb> I got a little further, and now it will try to send it out to 192.168.1.226 using route `192.168.1.0/24 via 10.100.0.11 dev wg0 `

20:06 <eyJhb> Is this cheating? socat tcp-listen:9091,reuseaddr,fork tcp-connect:10.100.0.12:9091

20:22 <eyJhb> NinjaTrappeur: `oifname veth0 masquerade`

22:16 syhn has quit [Ping timeout: 245 seconds]

22:16 syhn has joined #nixos-on-your-router