.devcontainer/init-firewall.sh at main · anil.recoil.org/slop

anil.recoil.org / slop
My agentic slop goes here. Not intended for anyone else!
slop / .devcontainer / init-firewall.sh
at main 4.5 kB view raw
  1#!/bin/bash
  2set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
  3IFS=$'\n\t'       # Stricter word splitting
  4
  5# 1. Extract Docker DNS info BEFORE any flushing
  6DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
  7
  8# Flush existing rules and delete existing ipsets
  9iptables -F
 10iptables -X
 11iptables -t nat -F
 12iptables -t nat -X
 13iptables -t mangle -F
 14iptables -t mangle -X
 15ipset destroy allowed-domains 2>/dev/null || true
 16
 17# 2. Selectively restore ONLY internal Docker DNS resolution
 18if [ -n "$DOCKER_DNS_RULES" ]; then
 19    echo "Restoring Docker DNS rules..."
 20    iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
 21    iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
 22    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
 23else
 24    echo "No Docker DNS rules to restore"
 25fi
 26
 27# First allow DNS and localhost before any restrictions
 28# Allow outbound DNS
 29iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
 30# Allow inbound DNS responses
 31iptables -A INPUT -p udp --sport 53 -j ACCEPT
 32# Allow outbound SSH
 33iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
 34# Allow inbound SSH responses
 35iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 36# Allow localhost
 37iptables -A INPUT -i lo -j ACCEPT
 38iptables -A OUTPUT -o lo -j ACCEPT
 39
 40# Create ipset with CIDR support
 41ipset create allowed-domains hash:net
 42
 43# Fetch GitHub meta information and aggregate + add their IP ranges
 44echo "Fetching GitHub IP ranges..."
 45gh_ranges=$(curl -s https://api.github.com/meta)
 46if [ -z "$gh_ranges" ]; then
 47    echo "ERROR: Failed to fetch GitHub IP ranges"
 48    exit 1
 49fi
 50
 51if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
 52    echo "ERROR: GitHub API response missing required fields"
 53    exit 1
 54fi
 55
 56echo "Processing GitHub IPs..."
 57while read -r cidr; do
 58    if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
 59        echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
 60        exit 1
 61    fi
 62    echo "Adding GitHub range $cidr"
 63    ipset add allowed-domains "$cidr"
 64done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q)
 65
 66# Resolve and add other allowed domains
 67for domain in \
 68    "registry.npmjs.org" \
 69    "api.anthropic.com" \
 70    "sentry.io" \
 71    "statsig.anthropic.com" \
 72    "opam.ocaml.org" \
 73    "deb.debian.org" \
 74    "dl.geotessera.org" \
 75    "tangled.org" \
 76    "api.fastmail.com" \
 77    "packages.apache.org" \
 78    "statsig.com"; do
 79    echo "Resolving $domain..."
 80    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
 81    if [ -z "$ips" ]; then
 82        echo "ERROR: Failed to resolve $domain"
 83        exit 1
 84    fi
 85    
 86    while read -r ip; do
 87        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
 88            echo "ERROR: Invalid IP from DNS for $domain: $ip"
 89            exit 1
 90        fi
 91        echo "Adding $ip for $domain"
 92        ipset add allowed-domains "$ip"
 93    done < <(echo "$ips")
 94done
 95
 96# Get host IP from default route
 97HOST_IP=$(ip route | grep default | cut -d" " -f3)
 98if [ -z "$HOST_IP" ]; then
 99    echo "ERROR: Failed to detect host IP"
100    exit 1
101fi
102
103HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
104echo "Host network detected as: $HOST_NETWORK"
105
106# Set up remaining iptables rules
107iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
108iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
109
110# Set default policies to DROP first
111iptables -P INPUT DROP
112iptables -P FORWARD DROP
113iptables -P OUTPUT DROP
114
115# First allow established connections for already approved traffic
116iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
117iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
118
119# Then allow only specific outbound traffic to allowed domains
120iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
121
122echo "Firewall configuration complete"
123echo "Verifying firewall rules..."
124if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
125    echo "ERROR: Firewall verification failed - was able to reach https://example.com"
126    exit 1
127else
128    echo "Firewall verification passed - unable to reach https://example.com as expected"
129fi
130
131# Verify GitHub API access
132if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
133    echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
134    exit 1
135else
136    echo "Firewall verification passed - able to reach https://api.github.com as expected"
137fi