netns: allow return traffic to outgoing connections

This commit is contained in:
nixbitcoin 2020-08-12 14:46:16 +00:00
parent 99295328b4
commit b97584f5cb
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA

View File

@ -160,6 +160,8 @@ in {
${ipNetns} route add default via ${bridgeIp} ${ipNetns} route add default via ${bridgeIp}
${netnsIptables} -w -P INPUT DROP ${netnsIptables} -w -P INPUT DROP
${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT ${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
# allow return traffic to outgoing connections initiated by the service itself
${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
'' + (optionalString (config.services.${n}.enforceTor or false)) '' '' + (optionalString (config.services.${n}.enforceTor or false)) ''
${netnsIptables} -w -P OUTPUT DROP ${netnsIptables} -w -P OUTPUT DROP
${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT ${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT