From ad1320ce807e9a981b5b193394359fc2c2fe5fd0 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 18 Jan 2023 20:03:06 +0100
Subject: [PATCH] l riot: use iptables for port forwarding

---
 lass/2configs/riot.nix | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix
index 559e7b20d..6aacec5b6 100644
--- a/lass/2configs/riot.nix
+++ b/lass/2configs/riot.nix
@@ -31,27 +31,31 @@
     privateNetwork = true;
     hostAddress = "10.233.1.1";
     localAddress = "10.233.1.2";
-    forwardPorts = [
-      { hostPort = 45622; containerPort = 22; }
-    ];
   };
 
   systemd.network.networks."50-ve-riot" = {
     matchConfig.Name = "ve-riot";
 
     networkConfig = {
-      IPForward = "yes";
       # weirdly we have to use POSTROUTING MASQUERADE here
+      # and set ip_forward manually
+      # IPForward = "yes";
       # IPMasquerade = "both";
       LinkLocalAddressing = "no";
       KeepConfiguration = "static";
     };
   };
 
-  # networking.nat can be used instead of this
+  boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
+
   krebs.iptables.tables.nat.POSTROUTING.rules = [
     { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; }
   ];
+
+  # networking.nat can be used instead of this
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { predicate = "-p tcp --dport 45622"; target = "DNAT --to-destination ${config.containers.riot.localAddress}:22"; v6 = false; }
+  ];
   krebs.iptables.tables.filter.FORWARD.rules = [
     { predicate = "-i ve-riot"; target = "ACCEPT"; }
     { predicate = "-o ve-riot"; target = "ACCEPT"; }