From 3cb256f6e5344fe7c0da6525c7ecd94ff01a60cf Mon Sep 17 00:00:00 2001
From: Menno van Leeuwen <menno@vleeuwen.me>
Date: Sat, 16 Nov 2024 03:08:23 +0100
Subject: [PATCH] adds iptables rules to allow established connections,
 internal network traffic, and Docker communication

---
 config/nixos/common/server.nix | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/config/nixos/common/server.nix b/config/nixos/common/server.nix
index 8240d85..dbe44bf 100644
--- a/config/nixos/common/server.nix
+++ b/config/nixos/common/server.nix
@@ -22,7 +22,7 @@
     firewall = {
       enable = true;
 
-      # Only truly external ports
+      # External ports
       allowedTCPPorts = [
         80 # HTTP
         443 # HTTPS
@@ -64,6 +64,24 @@
           "enp39s0".allowedTCPPorts = internalPorts;
         };
 
+      extraCommands = ''
+        # Allow established connections
+        iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+        # Allow internal network traffic
+        iptables -A INPUT -i docker0 -j ACCEPT
+        iptables -A INPUT -i tailscale0 -j ACCEPT
+        iptables -A INPUT -s 192.168.86.0/24 -j ACCEPT
+
+        # Allow Docker container communication
+        iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT
+
+        # Allow traffic between different Docker networks
+        iptables -A FORWARD -i br-* -o br-* -j ACCEPT
+        iptables -A FORWARD -i docker0 -o br-* -j ACCEPT
+        iptables -A FORWARD -i br-* -o docker0 -j ACCEPT
+      '';
+
       # Required for Tailscale
       checkReversePath = "loose";
     };