diff options
author | lassulus <lassulus@lassul.us> | 2023-01-18 20:03:06 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2023-01-18 20:03:06 +0100 |
commit | ad1320ce807e9a981b5b193394359fc2c2fe5fd0 (patch) | |
tree | 50e0d8f6be7807f2d2405c4502d8783d728af894 | |
parent | c9339846fd3df3d50413058bb2f732a4b6e69d8d (diff) |
l riot: use iptables for port forwarding
-rw-r--r-- | lass/2configs/riot.nix | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix index 559e7b20d..6aacec5b6 100644 --- a/lass/2configs/riot.nix +++ b/lass/2configs/riot.nix @@ -31,27 +31,31 @@ privateNetwork = true; hostAddress = "10.233.1.1"; localAddress = "10.233.1.2"; - forwardPorts = [ - { hostPort = 45622; containerPort = 22; } - ]; }; systemd.network.networks."50-ve-riot" = { matchConfig.Name = "ve-riot"; networkConfig = { - IPForward = "yes"; # weirdly we have to use POSTROUTING MASQUERADE here + # and set ip_forward manually + # IPForward = "yes"; # IPMasquerade = "both"; LinkLocalAddressing = "no"; KeepConfiguration = "static"; }; }; - # networking.nat can be used instead of this + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; + krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } ]; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.PREROUTING.rules = [ + { predicate = "-p tcp --dport 45622"; target = "DNAT --to-destination ${config.containers.riot.localAddress}:22"; v6 = false; } + ]; krebs.iptables.tables.filter.FORWARD.rules = [ { predicate = "-i ve-riot"; target = "ACCEPT"; } { predicate = "-o ve-riot"; target = "ACCEPT"; } |