From baa5612f50704950d483af06bb92c9c8dd8b8ef8 Mon Sep 17 00:00:00 2001
From: uvok cheetah
Date: Wed, 18 Jun 2025 19:15:59 +0200
Subject: Update DN42 namespace post with new rules

---
 ...-02-02-dn42-put-it-in-a-box-linux-network-namespace.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to '_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md')

diff --git a/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md b/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md
index 0be4238..3a43f1a 100644
--- a/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md
+++ b/_posts/2025-02-02-dn42-put-it-in-a-box-linux-network-namespace.md
@@ -2,6 +2,7 @@
 layout: post
 title: 'DN42: Put it in a box (Linux network namespace)'
 date: 2025-02-02 17:10 +0100
+last_modified_at: 2025-06-18 19:12 +0200
 lang: "en"
 categories: "tech"
 description: "I explain how I put my Autonomous System in a network namespace."
@@ -59,6 +60,8 @@ Inside the namespace run:
   (from within a Wireguard net)
 - Nginx, which serves my DN42 website
 
+**Update 2025-06-18**: nginx now runs inside the namespace as well.
+
 It took me a while and some internet searches to come up with the firewall
 rules. On my VPS itself I use ufw, for the network namespace, I *could probably*
 make this work as well, but I decided to use "iptables", or rather, the wrapper
@@ -89,6 +92,18 @@ With an additional forward rule, everything is happy again:
 -A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
 ```
 
+**Update 2025-06-18**: I modified this several times since then.
+Since I also need to take care of actual routing/forwarding within DN42,
+I now ended up with
+
+```
+-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT
+-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+```
+
+i.e. I don't rely on the source address being fcee::1 anymore.
+
 Also, I also feel pretty clever for making sure I can access DN42 from my
 clearnet:
 
-- 
cgit v1.2.3