router: allow docker0 forward and expose 7dtd-coop ports

Container outbound (image pulls, LinuxGSM bootstrap fetches) was dropped by the inet filter forward chain — only eth0 and DNAT'd WAN traffic were whitelisted. Add iifname "docker0" accept so containers can reach the internet. Also add the coop server's 26910/26911-26912 forwards to ports.toml so WAN players can connect. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 15:35:26 +01:00 · 2026-04-25 15:35:26 +01:00 · 568b815d8d
commit 568b815d8d
parent 4d84fe2df3
2 changed files with 12 additions and 0 deletions
--- a/services/router.nix
+++ b/services/router.nix
@ -126,6 +126,8 @@ in
            ct state invalid drop
            # LAN → anywhere
            iifname "eth0" accept
+            # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
+            iifname "docker0" accept
            # WAN → LAN only if it was DNAT'd by a port-forward rule
            iifname "eno1" oifname "eth0" ct status dnat accept
          }