!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

915 Members
Declaratively manage your switching, routing, wireless, tunneling and more.267 Servers

Load older messages

SenderMessageTime
8 Dec 2025
@k900:0upti.meK900Well that depends on how you implemented it14:27:32
@okamis:matrix.orgokamis iptables -t filter -I FORWARD 1 -m state --state NEW -j DROP 14:29:10
@k900:0upti.meK900 Yeah that's not all outgoing connections 14:29:28
@okamis:matrix.orgokamisoh sorry should be OUTGOING instead of forward14:29:28
@k900:0upti.meK900That is also a bad idea14:29:35
@k900:0upti.meK900You want to match on interface14:29:40
@k900:0upti.meK900Or explicitly exclude loopback I guess14:29:45
@okamis:matrix.orgokamis

is this reasonable?

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -j DROP
15:21:45
@k900:0upti.meK900Probably15:22:48
@k900:0upti.meK900I don't remember iptables well enough15:22:54
9 Dec 2025
@adam:robins.wtfadamcstephens changed their profile picture.17:25:09
@adam:robins.wtfadamcstephens changed their profile picture.17:48:29
10 Dec 2025
@truelle_trash_queen:matrix.orgTheodora changed their display name from Theodora The Absurdist Schizotisticoball to Theodora.12:17:46
@adam:robins.wtfadamcstephens changed their profile picture.14:49:51
@denkn:denkn.atDenKnthese rules are a little bit strange. typicaly first via contrack established connections are allowed, and at the end of the table anything else is REJECT (do not use DROP, you not know, which effects it has, right?).21:56:03
@denkn:denkn.atDenKnSo, first use simple rules with ACCEPT, and at the end REJECT anything, which was not accepted.21:56:44
@denkn:denkn.atDenKnIf you do not used firewalls, yet, use nftables instead of iptables. iptables is not dead, but nftables ist better.21:58:23
@jmanch:matrix.orgJManch joined the room.23:23:19
11 Dec 2025
@tg-x:asra.grTG × ⊙ joined the room.20:21:50
12 Dec 2025
@whispers:catgirl.cloudwhispers (it/fae) changed their profile picture.04:51:30
@alex:epelde.netAlex Epelde joined the room.21:47:11
14 Dec 2025
@n4ch723hr3r:nope.chat@n4ch723hr3r:nope.chat changed their display name from n4ch723hr3r to n4ch723hr3r (stuff in name is cringe).03:42:57
@suua:matrix.orgsuua joined the room.13:29:56
15 Dec 2025
@n4ch723hr3r:nope.chat@n4ch723hr3r:nope.chat changed their display name from n4ch723hr3r (stuff in name is cringe) to MOVED TO n4ch7@n3831.net.00:16:13
@denkn:denkn.atDenKn* these rules are a little bit strange. typicaly first via contrack established connections are allowed, and at the end of the table anything else is REJECT (do not use DROP, you do not know, which effects it has, right?).14:36:27
16 Dec 2025
@n4ch7:n3831.netn4ch723hr3r (putting stuff in your name is cringe) joined the room.05:12:39
@n4ch723hr3r:nope.chat@n4ch723hr3r:nope.chat left the room.05:12:45
@sandro:supersandro.deSandro 🐧FYI https://github.com/NixOS/nixpkgs/pull/46879023:45:40
17 Dec 2025
@mall0c:matrix.orgmall0c joined the room.20:37:22
@marcusramberg:matrix.orgMarcusWhat's the right way to configure the nixos firewall with ipv6 so it allows internet connections from the trusted interfaces, but doesn't forward connections from the wan? Seems I can ssh straight into my lan interface from the internet if filterForward is off, but can't ssh out of my lan if it's on.21:43:40

Show newer messages

Back to Room ListRoom Version: 6