From 93f8d3aa8902d797c0a32597dc53fd31f5d8e55f Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Tue, 15 Apr 2025 12:17:00 +0200
Subject: [PATCH] Allow traffic from docker to enter port 23080
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Before:

  hut% sudo docker run -it --rm alpine /bin/ash -xc 'true | nc -w 3 -v 10.0.40.7 23080'
  + true
  + nc -w 3 -v 10.0.40.7 23080
  nc: 10.0.40.7 (10.0.40.7:23080): Operation timed out

After:

  hut% sudo docker run -it --rm alpine /bin/ash -xc 'true | nc -w 3 -v 10.0.40.7 23080'
  + true
  + nc -w 3 -v 10.0.40.7 23080
  10.0.40.7 (10.0.40.7:23080) open

Fixes: https://jungle.bsc.es/git/rarias/jungle/issues/94
Reviewed-by: Aleix Boné <abonerib@bsc.es>
---
 m/hut/gitlab-runner.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix
index 9241e5de..a68d8d17 100644
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -97,12 +97,14 @@
     };
   };
 
-  # DOCKER* chains are useless, override at FORWARD
+  # DOCKER* chains are useless, override at FORWARD and nixos-fw
   networking.firewall.extraCommands = ''
     # Allow docker to use our proxy
     iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
     # Block anything else coming from docker
     iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
+    # Allow incoming traffic from docker to 23080
+    iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT
   '';
 
   #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";