diff --git a/config/nixos/common/server.nix b/config/nixos/common/server.nix
index 8240d85..dbe44bf 100644
--- a/config/nixos/common/server.nix
+++ b/config/nixos/common/server.nix
@@ -22,7 +22,7 @@
     firewall = {
       enable = true;
 
-      # Only truly external ports
+      # External ports
       allowedTCPPorts = [
         80 # HTTP
         443 # HTTPS
@@ -64,6 +64,24 @@
           "enp39s0".allowedTCPPorts = internalPorts;
         };
 
+      extraCommands = ''
+        # Allow established connections
+        iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+        # Allow internal network traffic
+        iptables -A INPUT -i docker0 -j ACCEPT
+        iptables -A INPUT -i tailscale0 -j ACCEPT
+        iptables -A INPUT -s 192.168.86.0/24 -j ACCEPT
+
+        # Allow Docker container communication
+        iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
+
+        # Allow traffic between different Docker networks
+        iptables -A FORWARD -i br-* -o br-* -j ACCEPT
+        iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
+        iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
+      '';
+
       # Required for Tailscale
       checkReversePath = "loose";
     };