Don't forward any docker traffic

Access to the 23080 local port will be done by applying the INPUT rules, which pass through nixos-fw. Reviewed-by: Aleix Boné <abonerib@bsc.es>
2025-04-15 12:46:08 +02:00 · 2025-04-15 12:46:08 +02:00 · d0f151595f
commit d0f151595f
parent 93f8d3aa89
1 changed files with 3 additions and 4 deletions
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@ -99,10 +99,9 @@
  # DOCKER* chains are useless, override at FORWARD and nixos-fw
  networking.firewall.extraCommands = ''
-    # Allow docker to use our proxy
+    # Don't forward any traffic from docker
-    iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
+    iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse
-    # Block anything else coming from docker
+
    iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
    # Allow incoming traffic from docker to 23080
    iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT
  '';