router: accept docker0 on input chain
Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr at 10.0.0.1:7878) hit the input chain, not forward, because the destination is a local IP. The forward chain already trusts docker0 for outbound; this adds the matching input rule so the return path stops getting dropped. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
98ccee2221
commit
c45811acf9
1 changed files with 5 additions and 0 deletions
|
|
@ -111,6 +111,11 @@ in
|
||||||
iifname "lo" accept
|
iifname "lo" accept
|
||||||
# LAN is trusted
|
# LAN is trusted
|
||||||
iifname "eth0" accept
|
iifname "eth0" accept
|
||||||
|
# Docker containers reaching host services (e.g. Profilarr → Radarr
|
||||||
|
# on 10.0.0.1:7878). The forward chain already trusts docker0 for
|
||||||
|
# outbound; this is the matching INPUT rule for traffic landing on
|
||||||
|
# the host's own LAN/bridge IPs from a container.
|
||||||
|
iifname "docker0" accept
|
||||||
# Phase 1: also trust the existing eero subnet on eno1 so SSH
|
# Phase 1: also trust the existing eero subnet on eno1 so SSH
|
||||||
# and AdGuard DNS keep working during the transition.
|
# and AdGuard DNS keep working during the transition.
|
||||||
${legacyTrustRules}
|
${legacyTrustRules}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue