| 8 Dec 2025 |
 okamis | Im using runnixostest interactive as a playground environment. I would like it to be a bit similar as non-interactive, so I would like ssh access but not access to the internet, whats a good way to achieve that? Currently im running "ip route del default" in the testscript. | 14:24:11 |
 K900 | Could just firewall all outgoing connections | 14:24:36 |
| okamis | I had a rule drop all outgoing, and it screwed up kubectl connecting to k3s using localhost:8080, | 14:26:38 |
| K900 | Well that depends on how you implemented it | 14:27:32 |
| okamis | iptables -t filter -I FORWARD 1 -m state --state NEW -j DROP | 14:29:10 |
| K900 | Yeah that's not all outgoing connections | 14:29:28 |
| okamis | oh sorry should be OUTGOING instead of forward | 14:29:28 |
| K900 | That is also a bad idea | 14:29:35 |
| K900 | You want to match on interface | 14:29:40 |
| K900 | Or explicitly exclude loopback I guess | 14:29:45 |
| okamis | is this reasonable?
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -j DROP
| 15:21:45 |
| K900 | Probably | 15:22:48 |
| K900 | I don't remember iptables well enough | 15:22:54 |
| 9 Dec 2025 |
|  adamcstephens changed their profile picture. | 17:25:09 |
| adamcstephens changed their profile picture. | 17:48:29 |
| 10 Dec 2025 |
|  Theodora changed their display name from Theodora The Absurdist Schizotisticoball to Theodora. | 12:17:46 |
| adamcstephens changed their profile picture. | 14:49:51 |
 DenKn | these rules are a little bit strange. typicaly first via contrack established connections are allowed, and at the end of the table anything else is REJECT (do not use DROP, you not know, which effects it has, right?). | 21:56:03 |
| DenKn | So, first use simple rules with ACCEPT, and at the end REJECT anything, which was not accepted. | 21:56:44 |
| DenKn | If you do not used firewalls, yet, use nftables instead of iptables. iptables is not dead, but nftables ist better. | 21:58:23 |
|  JManch joined the room. | 23:23:19 |
| 11 Dec 2025 |
|  TG × ⊙ joined the room. | 20:21:50 |
| 12 Dec 2025 |
|  whispers (it/fae) changed their profile picture. | 04:51:30 |
|  Alex Epelde joined the room. | 21:47:11 |
| 14 Dec 2025 |
|  @n4ch723hr3r:nope.chat changed their display name from n4ch723hr3r to n4ch723hr3r (stuff in name is cringe). | 03:42:57 |
|  suua joined the room. | 13:29:56 |
| 15 Dec 2025 |
| @n4ch723hr3r:nope.chat changed their display name from n4ch723hr3r (stuff in name is cringe) to MOVED TO n4ch7@n3831.net. | 00:16:13 |
| DenKn | * these rules are a little bit strange. typicaly first via contrack established connections are allowed, and at the end of the table anything else is REJECT (do not use DROP, you do not know, which effects it has, right?). | 14:36:27 |
| 16 Dec 2025 |
|  n4ch723hr3r (putting stuff in your name is cringe) joined the room. | 05:12:39 |
| @n4ch723hr3r:nope.chat left the room. | 05:12:45 |
