router: allow WAN port-forwards to any DNAT target, not just eth0

The forward rule only accepted iifname=eno1 oifname=eth0 ct status=dnat, which worked when port-forwards always landed on a LAN host. Docker DNAT routes to docker0, so external traffic to 26900 was being DNAT'd correctly but then dropped at the forward filter. Drop the oifname constraint — the prerouting DNAT rule already controls what gets forwarded; the filter doesn't need to second-guess it.
2026-04-26 19:42:15 +01:00 · 2026-04-26 19:42:15 +01:00 · c1750c8538
commit c1750c8538
parent a124f314d9
1 changed files with 2 additions and 2 deletions
--- a/services/router.nix
+++ b/services/router.nix
@ -128,8 +128,8 @@ in
            iifname "eth0" accept
            # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
            iifname "docker0" accept
-            # WAN → LAN only if it was DNAT'd by a port-forward rule
-            iifname "eno1" oifname "eth0" ct status dnat accept
+            # WAN → any port-forward target (LAN host or docker container)
+            iifname "eno1" ct status dnat accept
          }
          chain output {
            type filter hook output priority 0; policy accept;