From c1750c853837ff5715cb5394929376bf4adc700a Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sun, 26 Apr 2026 19:42:15 +0100
Subject: [PATCH] router: allow WAN port-forwards to any DNAT target, not just
 eth0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The forward rule only accepted iifname=eno1 oifname=eth0 ct status=dnat,
which worked when port-forwards always landed on a LAN host. Docker
DNAT routes to docker0, so external traffic to 26900 was being DNAT'd
correctly but then dropped at the forward filter. Drop the oifname
constraint — the prerouting DNAT rule already controls what gets
forwarded; the filter doesn't need to second-guess it.
---
 services/router.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/router.nix b/services/router.nix
index 7da9a2d..e201a63 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -128,8 +128,8 @@ in
             iifname "eth0" accept
             # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
             iifname "docker0" accept
-            # WAN → LAN only if it was DNAT'd by a port-forward rule
-            iifname "eno1" oifname "eth0" ct status dnat accept
+            # WAN → any port-forward target (LAN host or docker container)
+            iifname "eno1" ct status dnat accept
           }
           chain output {
             type filter hook output priority 0; policy accept;