Nixos-container and ip failover

Hello everyone,

I have a server that has an ip fix that is attached to a bridge. I would like to attach an ipfailover to a container so that the container is directly accessible with its ip failover from the internet.

I have tried several configurations but I can’t do it. I also tried to look for examples in nixpkgs/nixos/tests at 2456e8475ffd7363fe194505ef0488dfc89a8eb1 · NixOS/nixpkgs · GitHub

Here are my examples of configurations: gist:2b54c8db090be6b882b02aae30dcb32f · GitHub

You need to make sure that you allow forwarding:

  boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";

You can check your current state with:

$ sudo sysctl -a | grep forward

Make you also sure your firewall i.e. iptables does not block forwarding.

$ sudo iptables -S | grep FORWARD
-A FORWARD -d -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

Thank you for your answer. Yes, I had:

boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };

I also have

sudo iptables -S | grep FORWARD

But I don’t have a

-A FORWARD -d -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT

Is that important?

No the virbr0 bridge rules are generated by libvirt. I guess it is better to ask this kind of networking debugging in the irc as there would be several followup questions. In particular I don’t see a default route set in your container.

One word of warning, the NixOS firewall doesn’t protect you from issues relating to ip forwarding by default (as I recently learned by accident :confused: ).

Without setting your own rules you might expose containers or e.g. IP segments from VPNs (esp. when you additionally aren’t careful with masquerading) to other hosts on the same network.

I.e. they can set your host as a gateway for the container subnets and access them directly via their “internal” IPs, possibly bypassing protection measures like reverse proxies.

My idea was to have a gitlab so HTTPS and ssh in a container with a dedicated Internet IP. If there was only the 443 a nginx in front to do a reverse proxy was enough but the 22… It’s more complicated with reverse proxy :wink: that’s why I need to have a public ip dedicated to the container.

I can also do port forwarding but it doesn’t suit me.