diff options
| -rw-r--r-- | _posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md b/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md index 0be4238..3a43f1a 100644 --- a/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md +++ b/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md @@ -2,6 +2,7 @@ layout: post title: 'DN42: Put it in a box (Linux network namespace)' date: 2025-02-02 17:10 +0100 +last_modified_at: 2025-06-18 19:12 +0200 lang: "en" categories: "tech" description: "I explain how I put my Autonomous System in a network namespace." @@ -59,6 +60,8 @@ Inside the namespace run: (from within a Wireguard net) - Nginx, which serves my DN42 website +**Update 2025-06-18**: nginx now runs inside the namespace as well. + It took me a while and some internet searches to come up with the firewall rules. On my VPS itself I use ufw, for the network namespace, I *could probably* make this work as well, but I decided to use "iptables", or rather, the wrapper @@ -89,6 +92,18 @@ With an additional forward rule, everything is happy again: -A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT ``` +**Update 2025-06-18**: I modified this several times since then. +Since I also need to take care of actual routing/forwarding within DN42, +I now ended up with + +``` +-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT +-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT +-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +``` + +i.e. I don't rely on the source address being fcee::1 anymore. + Also, I also feel pretty clever for making sure I can access DN42 from my clearnet: |