diff --git a/ports.toml b/ports.toml
index 95da6d4..bdf1547 100644
--- a/ports.toml
+++ b/ports.toml
@@ -34,3 +34,13 @@ protocol = "both"
 name = "7DTD voice/dynamic"
 ports = "26901-26902"
 protocol = "udp"
+
+[[forward]]
+name = "7DTD-coop game"
+port = 26910
+protocol = "both"
+
+[[forward]]
+name = "7DTD-coop voice/dynamic"
+ports = "26911-26912"
+protocol = "udp"
diff --git a/services/router.nix b/services/router.nix
index cf480ef..7da9a2d 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -126,6 +126,8 @@ in
             ct state invalid drop
             # LAN → anywhere
             iifname "eth0" accept
+            # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
+            iifname "docker0" accept
             # WAN → LAN only if it was DNAT'd by a port-forward rule
             iifname "eno1" oifname "eth0" ct status dnat accept
           }