hosts/carbon: Don't send IPv4 to ppp tunnel

profiles/router: Add applications to debug conntrack more
2025-11-21 18:33:42 +01:00 · 2025-11-21 18:28:42 +01:00
3 changed files with 12 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -666,11 +666,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1763421233,
-        "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=",
+        "lastModified": 1761114652,
+        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648",
+        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
        "type": "github"
      },
      "original": {
--- a/hosts/carbon/ppp-ncfttb.nix
+++ b/hosts/carbon/ppp-ncfttb.nix
@@ -60,4 +60,10 @@
    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  '';

+  networking.firewall.extraCommands = ''
+    # Reject all IPv4 traffic that tries to enter and leave the PPP tunnel
+    iptables -I INPUT -i ppp-ncfttb -j DROP
+    iptables -I OUTPUT -o ppp-ncfttb -j DROP
+  '';
+
 }
--- a/profiles/router/default.nix
+++ b/profiles/router/default.nix
@@ -11,8 +11,10 @@ with lib;
  config = mkIf config.profiles.clerie.router.enable {

    environment.systemPackages = with pkgs; [
-      wireguard-tools
+      conntrack-tools
+      iptstate # show conntrack table
      tcpdump
+      wireguard-tools
    ];
  
    boot.kernel.sysctl = {
Author	SHA1	Message	Date
clerie	bd1716eb23	hosts/carbon: Don't send IPv4 to ppp tunnel	2025-11-21 18:33:42 +01:00
clerie	a5125e92a6	profiles/router: Add applications to debug conntrack more	2025-11-21 18:28:42 +01:00