firewall: give docker more freedom

2023-06-05 04:43:07 +02:00 · 2023-06-05 04:43:07 +02:00 · 842b3f0ac7
commit 842b3f0ac7
parent 2c387448ba
1 changed files with 4 additions and 1 deletions
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -54,6 +54,9 @@ in
        }

        table ip nat {
+          chain DOCKER {
+            type nat hook prerouting priority dstnat; policy accept;
+          }
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
          }
@ -142,6 +145,7 @@ in
            ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
            ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
            ip saddr ${lan.net} accept comment "lan > local"
+            iifname ${docker.interface} accept
            ip saddr ${tailscale.net} accept comment "tailscale > local"
            ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"

@ -151,7 +155,6 @@ in
            iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
                      
            iifname ${wireguard.interface} icmp type echo-request accept
-            iifname ${docker.interface} udp dport 53 accept
            jump filter_drop
          }