From 32e6d3b60ade1061487182193fff86039f408a26 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Thu, 12 Dec 2024 16:58:52 +0100 Subject: [PATCH] fix mangle rules for incoming traffic --- systems/LoutreOS/network.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 4c51361..7c8b54b 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -88,9 +88,14 @@ ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true ip46tables -w -t mangle -N loutreos-mangle-pre - # Restore the packet's CONNMARK to the MARK for existing connections + # Restore the packet's CONNMARK to the MARK for existing incoming connections ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark + # Restore CONNMARK to MARK for outgoing packets before final routing decision + ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true + ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark + + # If packet MARK is set, then it means that there is already a connection mark ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT @@ -100,8 +105,11 @@ ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2 ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3 + # Save new mark in CONNMARK + ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark + # Jump to newly created target - ip46tables -w -t mangle -A PREROUTING -j loutreos-mangle-pre + ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre # Save MARK to CONNMARK. ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true