rarias/jungle
rarias/jungle
2
0
Fork 2
Code Issues 54 Pull Requests 7 Actions Packages Projects Releases Wiki Activity

Don't forward any docker traffic

Browse Source 
Access to the 23080 local port will be done by applying the INPUT rules,
which pass through nixos-fw.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
This commit is contained in:
Rodrigo Arias 2025-04-15 12:46:08 +02:00
parent e8c309f584
commit 44bd061823
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
m/hut/gitlab-runner.nix
View File

@ -99,10 +99,9 @@
# DOCKER* chains are useless, override at FORWARD and nixos-fw # DOCKER* chains are useless, override at FORWARD and nixos-fw
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
# Allow docker to use our proxy # Don't forward any traffic from docker
iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse
# Block anything else coming from docker
iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
# Allow incoming traffic from docker to 23080 # Allow incoming traffic from docker to 23080
iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT
''; '';