Container forwardPorts get filtered

[spiderbit]

Steps to reproduce

  containers.sshtest = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.20.10";
    localAddress = "192.168.20.11";
    forwardPorts = [ { protocol = "tcp"; hostPort = 25; containerPort = 22; } ];
    config =
    { config, pkgs, ... }:
    {
      services.openssh.enable = true;
    };
  };

  networking = {
    nat.enable = true;
    nat.internalInterfaces = ["ve-+"];
    nat.externalInterface = "enp7s0";
    firewall.enable = false;
  };

$ nmap sshtest -p 22 22/tcp open ssh

$ nmap 192.168.1.110 -p 25 25/tcp filtered smtp

Why does the firewall prevent access onto the service? Why does forwardPort configuration not setup the system that it actually does forward the port?

I think that is a bug if that is a feature I would say it's a bug in the documentation.

with nat.enable = false; it's the same result.

[spiderbit]

Well I played around a bit with the setup and yes it says filtered, but I mistaken that with "not open" basically, but it works, I can connect with the ssh client.

So my real problem is a deeper one, I have a openvpn client setup inside the container, but I need to connect to a port inside from the local lan.

the port says still filtered, but I think the container finds no route to the lan, not sure if I have to setup some SNAT rule.

Probably it's not nixos specific then.

[spiderbit]

networking.nat.extraCommands = ''iptables -t nat -A nixos-nat-post -d [CONTAINER-LOCAL-ADDRESS] -p tcp --dport [PORT] -j SNAT --to-source [CONTAINER-HOSTADDRESS]'';

networking.nat.forwardPorts = [
      {destination = "[CONTAINER-LOCAL-ADRESS]:[PORT]"; sourcePort = [PORT];}
    ];

That works with openvpn in the container, you can then remove also the forwardPorts option from the container, because networking.nat.enable does the same.

I would suggest to include that somehow into the networking / container documentation of nixos or automatically add such a iptables chain for every container that contains a services.openvpn.servers.client option.

Or you could have something like containers..snat option or I don't know a better name bypass-routing. Maybe: "localSourceAddressTranslation"

Other than that, this bugreport could be closed.

[flokli]

Is this a duplicate of #28721?

[stale[bot]]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[Saturn745]

Having the same issue. Any fixes?