upstream: fix masquerading

2024-04-11 23:58:09 +02:00 · 2024-04-11 23:58:09 +02:00 · 611ac377be
parent a2f7356c53
commit 611ac377be
1 changed files with 11 additions and 1 deletions
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -103,7 +103,17 @@ in
            -d ${staticIpv4Address} -p ${fwd.proto} \
            --dport ${builtins.toString fwd.sourcePort} \
            -j DNAT --to-destination ${fwd.destination}
-        '') config.networking.nat.forwardPorts}
+
+          iptables -t nat -A nixos-nat-post \
+            -d ${fwd.destination} -p ${fwd.proto} \
+            --dport ${builtins.toString fwd.destination} \
+            -s ${config.site.net.core.subnet4} -j MASQUERADE
+
+          iptables -t nat -A nixos-nat-post \
+            -d ${fwd.destination} -p ${fwd.proto} \
+            --dport ${builtins.toString fwd.destination} \
+            -s ${config.site.net.c3d2.subnets4} -j MASQUERADE
+        '')  config.networking.nat.forwardPorts}
      ''}

      # Do not NAT our public IPv4 addresses