allow established before lo

Author: drewmalin

v1/providers/nebius/instance.go

@@ -1796,8 +1796,8 @@ func generateUFWCommands(firewallRules v1.FirewallRules) []string {
 func generateIPTablesCommands() []string {
 	commands := []string{
 		"iptables -F DOCKER-USER",
-		"iptables -A DOCKER-USER -i lo -j ACCEPT",
 		"iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
+		"iptables -A DOCKER-USER -i lo -j ACCEPT",
 		"iptables -A DOCKER-USER -j DROP",
 		"iptables -A DOCKER-USER -j RETURN", // Expected by Docker
 	}

v1/providers/shadeform/firewall.go

@@ -16,8 +16,8 @@ const (
 	ufwForceEnable          = "ufw --force enable"
 
 	ipTablesResetDockerUserChain            = "iptables -F DOCKER-USER"
-	ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT"
 	ipTablesAllowDockerUserOutbound         = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+	ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT"
 	ipTablesDropDockerUserInbound           = "iptables -A DOCKER-USER -j DROP"
 	ipTablesReturnDockerUser                = "iptables -A DOCKER-USER -j RETURN"
 )
@@ -62,8 +62,8 @@ func (c *ShadeformClient) getUFWCommands(firewallRules v1.FirewallRules) []strin
 func (c *ShadeformClient) getIPTablesCommands() []string {
 	commands := []string{
 		ipTablesResetDockerUserChain,
-		ipTablesAllowDockerUserInpboundLoopback,
 		ipTablesAllowDockerUserOutbound,
+		ipTablesAllowDockerUserInpboundLoopback,
 		ipTablesDropDockerUserInbound,
 		ipTablesReturnDockerUser, // Expected by Docker
 	}