.devcontainer/init-firewall.sh at 2e57b99c7facfca67595741b51d79f40df77fa2b · anil.recoil.org/slop

anil.recoil.org / slop
My agentic slop goes here. Not intended for anyone else!
slop / .devcontainer / init-firewall.sh
at 2e57b99c7facfca67595741b51d79f40df77fa2b 4.5 kB view raw
  1#!/bin/bash
  2set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
  3IFS=$'\n\t'       # Stricter word splitting
  4
  5# 1. Extract Docker DNS info BEFORE any flushing
  6DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
  7
  8# Flush existing rules and delete existing ipsets
  9iptables -F
 10iptables -X
 11iptables -t nat -F
 12iptables -t nat -X
 13iptables -t mangle -F
 14iptables -t mangle -X
 15ipset destroy allowed-domains 2>/dev/null || true
 16
 17# 2. Selectively restore ONLY internal Docker DNS resolution
 18if [ -n "$DOCKER_DNS_RULES" ]; then
 19    echo "Restoring Docker DNS rules..."
 20    iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
 21    iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
 22    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
 23else
 24    echo "No Docker DNS rules to restore"
 25fi
 26
 27# First allow DNS and localhost before any restrictions
 28# Allow outbound DNS
 29iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
 30# Allow inbound DNS responses
 31iptables -A INPUT -p udp --sport 53 -j ACCEPT
 32# Allow outbound SSH
 33iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
 34# Allow inbound SSH responses
 35iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 36# Allow localhost
 37iptables -A INPUT -i lo -j ACCEPT
 38iptables -A OUTPUT -o lo -j ACCEPT
 39
 40# Create ipset with CIDR support
 41ipset create allowed-domains hash:net
 42
 43# Fetch GitHub meta information and aggregate + add their IP ranges
 44echo "Fetching GitHub IP ranges..."
 45gh_ranges=$(curl -s https://api.github.com/meta)
 46if [ -z "$gh_ranges" ]; then
 47    echo "ERROR: Failed to fetch GitHub IP ranges"
 48    exit 1
 49fi
 50
 51if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
 52    echo "ERROR: GitHub API response missing required fields"
 53    exit 1
 54fi
 55
 56echo "Processing GitHub IPs..."
 57while read -r cidr; do
 58    if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
 59        echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
 60        exit 1
 61    fi
 62    echo "Adding GitHub range $cidr"
 63    ipset add allowed-domains "$cidr"
 64done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q)
 65
 66# Resolve and add other allowed domains
 67for domain in \
 68    "registry.npmjs.org" \
 69    "api.anthropic.com" \
 70    "sentry.io" \
 71    "statsig.anthropic.com" \
 72    "opam.ocaml.org" \
 73    "deb.debian.org" \
 74    "dl.geotessera.org" \
 75    "api.fastmail.com" \
 76    "packages.apache.org" \
 77    "statsig.com"; do
 78    echo "Resolving $domain..."
 79    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
 80    if [ -z "$ips" ]; then
 81        echo "ERROR: Failed to resolve $domain"
 82        exit 1
 83    fi
 84    
 85    while read -r ip; do
 86        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
 87            echo "ERROR: Invalid IP from DNS for $domain: $ip"
 88            exit 1
 89        fi
 90        echo "Adding $ip for $domain"
 91        ipset add allowed-domains "$ip"
 92    done < <(echo "$ips")
 93done
 94
 95# Get host IP from default route
 96HOST_IP=$(ip route | grep default | cut -d" " -f3)
 97if [ -z "$HOST_IP" ]; then
 98    echo "ERROR: Failed to detect host IP"
 99    exit 1
100fi
101
102HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
103echo "Host network detected as: $HOST_NETWORK"
104
105# Set up remaining iptables rules
106iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
107iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
108
109# Set default policies to DROP first
110iptables -P INPUT DROP
111iptables -P FORWARD DROP
112iptables -P OUTPUT DROP
113
114# First allow established connections for already approved traffic
115iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
116iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
117
118# Then allow only specific outbound traffic to allowed domains
119iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
120
121echo "Firewall configuration complete"
122echo "Verifying firewall rules..."
123if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
124    echo "ERROR: Firewall verification failed - was able to reach https://example.com"
125    exit 1
126else
127    echo "Firewall verification passed - unable to reach https://example.com as expected"
128fi
129
130# Verify GitHub API access
131if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
132    echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
133    exit 1
134else
135    echo "Firewall verification passed - able to reach https://api.github.com as expected"
136fi