rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

router: allow WAN port-forwards to any DNAT target, not just eth0

Browse source 
The forward rule only accepted iifname=eno1 oifname=eth0 ct status=dnat,
which worked when port-forwards always landed on a LAN host. Docker
DNAT routes to docker0, so external traffic to 26900 was being DNAT'd
correctly but then dropped at the forward filter. Drop the oifname
constraint — the prerouting DNAT rule already controls what gets
forwarded; the filter doesn't need to second-guess it.
This commit is contained in:
ediblerope 2026-04-26 19:42:15 +01:00
parent a124f314d9
commit c1750c8538
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
services/router.nix
View file

@ -128,8 +128,8 @@ in
iifname "eth0" accept iifname "eth0" accept
# Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.) # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
iifname "docker0" accept iifname "docker0" accept
# WAN → LAN only if it was DNAT'd by a port-forward rule # WAN → any port-forward target (LAN host or docker container)
iifname "eno1" oifname "eth0" ct status dnat accept iifname "eno1" ct status dnat accept
} }
chain output { chain output {
type filter hook output priority 0; policy accept; type filter hook output priority 0; policy accept;