From b97584f5cb3d60d20e54c9ee43e6f94f012e5ed6 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Wed, 12 Aug 2020 14:46:16 +0000 Subject: [PATCH] netns: allow return traffic to outgoing connections --- modules/netns-isolation.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index 81acfc5..4ca3544 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -160,6 +160,8 @@ in { ${ipNetns} route add default via ${bridgeIp} ${netnsIptables} -w -P INPUT DROP ${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT + # allow return traffic to outgoing connections initiated by the service itself + ${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT '' + (optionalString (config.services.${n}.enforceTor or false)) '' ${netnsIptables} -w -P OUTPUT DROP ${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT