Nixos-container and ip failover

apeyroux · October 8, 2018, 1:25pm

Hello everyone,

I have a server that has an ip fix that is attached to a bridge. I would like to attach an ipfailover to a container so that the container is directly accessible with its ip failover from the internet.

I have tried several configurations but I can’t do it. I also tried to look for examples in https://github.com/NixOS/nixpkgs/tree/2456e8475ffd7363fe194505ef0488dfc89a8eb1/nixos/tests …

Here are my examples of configurations: gist:2b54c8db090be6b882b02aae30dcb32f · GitHub

Mic92 · October 8, 2018, 2:52pm

You need to make sure that you allow forwarding:

{
  boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
}

You can check your current state with:

$ sudo sysctl -a | grep forward

Make you also sure your firewall i.e. iptables does not block forwarding.

$ sudo iptables -S | grep FORWARD
-P FORWARD ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

apeyroux · October 8, 2018, 3:18pm

Thank you for your answer. Yes, I had:

boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };

I also have

sudo iptables -S | grep FORWARD
-P FORWARD ACCEPT

But I don’t have a

-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT

Is that important?

Mic92 · October 8, 2018, 3:21pm

No the virbr0 bridge rules are generated by libvirt. I guess it is better to ask this kind of networking debugging in the irc as there would be several followup questions. In particular I don’t see a default route set in your container.

Moredread · October 8, 2018, 9:21pm

One word of warning, the NixOS firewall doesn’t protect you from issues relating to ip forwarding by default (as I recently learned by accident ).

Without setting your own rules you might expose containers or e.g. IP segments from VPNs (esp. when you additionally aren’t careful with masquerading) to other hosts on the same network.

I.e. they can set your host as a gateway for the container subnets and access them directly via their “internal” IPs, possibly bypassing protection measures like reverse proxies.

apeyroux · October 8, 2018, 9:42pm

My idea was to have a gitlab so HTTPS and ssh in a container with a dedicated Internet IP. If there was only the 443 a nginx in front to do a reverse proxy was enough but the 22… It’s more complicated with reverse proxy that’s why I need to have a public ip dedicated to the container.

I can also do port forwarding but it doesn’t suit me.