diff options
Diffstat (limited to 'modules/foundation')
| -rw-r--r-- | modules/foundation/services/networks.nix | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix index 72e5b48..8be5723 100644 --- a/modules/foundation/services/networks.nix +++ b/modules/foundation/services/networks.nix @@ -168,6 +168,27 @@ in "net.ipv6.conf.default.forwarding" = 1; }; + networking.firewall = { + # both options should work together to let all packets coming from + # docker bridges through. + trustedInterfaces = [ "br-*" ]; + extraCommands = '' + # allow inbound packets + ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true + + # allow outbound to the docker bridge + ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true + + # allow forwarding between bridges+external interfaces + ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true + ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true + + # allow return traffic + # note: nothing works without this! + ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true + ''; + }; + systemd.services = let prefixOffset = 100; |