From 44bd061823860d79eb9e194199b45f1e197f3772 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Tue, 15 Apr 2025 12:46:08 +0200
Subject: [PATCH] Don't forward any docker traffic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Access to the 23080 local port will be done by applying the INPUT rules,
which pass through nixos-fw.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
---
 m/hut/gitlab-runner.nix | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix
index a68d8d1..2fe7c1c 100644
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -99,10 +99,9 @@
 
   # DOCKER* chains are useless, override at FORWARD and nixos-fw
   networking.firewall.extraCommands = ''
-    # Allow docker to use our proxy
-    iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
-    # Block anything else coming from docker
-    iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
+    # Don't forward any traffic from docker
+    iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse
+
     # Allow incoming traffic from docker to 23080
     iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT
   '';