search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.38k stars 13.61k forks source link

Networking NAT is not working with firewall enabled #33030

Open corpix opened 6 years ago

corpix commented 6 years ago

Issue description

I am trying to setup a router with NAT. Network Address Translation is not working with networking.firewall.enable = true;, but it works with networking.firewall.enable = false;.

Steps to reproduce

My settings:

{

networking = {
  networkmanager.enable = true;
  firewall = {
    enable = true;
    allowPing = true;
    allowedTCPPorts = [ 22 ];
    allowedUDPPorts = [ ];
    logRefusedConnections = true;
    logRefusedPackets = true;
    extraCommands = ''
      iptables  -I INPUT -p tcp -m tcp --dport 22 ! -s 192.168.1.1/24 -j nixos-fw-log-refuse
    '';
  };
  nat = {
    enable = true;
    internalInterfaces = [ "enp3s0" ];
    externalInterface = "enp2s0";
    internalIPs = [ "192.168.1.1/24" ];
  };
};

}

192.168.1.1 is the IP of the router I am trying to setup

On another machine:

Technical details

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 4.9.70, NixOS, 18.03pre-git (Impala)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 1.11.16`
 - nixpkgs: `/nix/store/pgi61hdwa4jl0dvq3dqbhli6r955br01-nixpkgs-5b6c5964b088997d9600dd8b4f21033aefb5f067`
primeos commented 6 years ago

I'm not sure if it'll work but if you have time you could give it a try with networking.firewall.checkReversePath = false;, that might be the cause.

dezgeg commented 6 years ago

My working config with both nat and firewall enabled: https://github.com/dezgeg/nixconfs/blob/master/kbuilder.nix#L35

corpix commented 6 years ago

@primeos thanks for suggestion, I will try it, but not now(I have solved the problem with firewall extraCommands).

But, anyway, if this will work then this thing is strange, probably it should be more simple with nix.

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.