From 47980a1ab846882a8ed2ef2ba5d6eb8eb8fa2421 Mon Sep 17 00:00:00 2001 From: arush070 Date: Mon, 9 Mar 2026 05:19:11 +0000 Subject: [PATCH 1/2] fix(shadeform): allow container SSH through iptables DOCKER-USER chain --- v1/providers/shadeform/firewall.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index cec4fb6..db74128 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -36,6 +36,9 @@ const ( // Allow inbound traffic on the loopback interface. ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT" + // Allow external inbound to container SSH (dport 22 because Docker DNAT rewrites host:2222 -> container:22). + ipTablesAllowDockerUserContainerSSH = "iptables -A DOCKER-USER -p tcp --dport 22 -j ACCEPT" + // Drop everything else. ipTablesDropDockerUserInbound = "iptables -A DOCKER-USER -j DROP" ipTablesReturnDockerUser = "iptables -A DOCKER-USER -j RETURN" @@ -91,6 +94,7 @@ func (c *ShadeformClient) getIPTablesCommands() []string { ipTablesAllowDockerUserDockerToDocker2, ipTablesAllowDockerUserDockerToDocker3, ipTablesAllowDockerUserInpboundLoopback, + ipTablesAllowDockerUserContainerSSH, ipTablesDropDockerUserInbound, ipTablesReturnDockerUser, // Expected by Docker } From 7e780b99a59e1047d96385879c1c4bbcd2e6c0e3 Mon Sep 17 00:00:00 2001 From: arush070 Date: Wed, 11 Mar 2026 06:12:21 +0000 Subject: [PATCH 2/2] fix(shadeform): update comment to clarify dport 22 scope --- v1/providers/shadeform/firewall.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index db74128..7fc7a38 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -36,7 +36,7 @@ const ( // Allow inbound traffic on the loopback interface. ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT" - // Allow external inbound to container SSH (dport 22 because Docker DNAT rewrites host:2222 -> container:22). + // Allow external inbound TCP traffic to any container port 22 (SSH) ipTablesAllowDockerUserContainerSSH = "iptables -A DOCKER-USER -p tcp --dport 22 -j ACCEPT" // Drop everything else.