44 lines
1.3 KiB
Bash
44 lines
1.3 KiB
Bash
|
#!/bin/bash
|
||
|
|
set -e
|
||
|
|
|
||
|
|
echo "Initializing container security settings..."
|
||
|
|
|
||
|
|
# Reset iptables
|
||
|
|
iptables -F
|
||
|
|
iptables -P INPUT ACCEPT
|
||
|
|
iptables -P FORWARD ACCEPT
|
||
|
|
iptables -P OUTPUT DROP # Default to blocking all outbound connections
|
||
|
|
|
||
|
|
# Allow local connections
|
||
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
||
|
|
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||
|
|
|
||
|
|
# Allow DNS lookups (required to resolve domains)
|
||
|
|
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||
|
|
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
|
||
|
|
|
||
|
|
# Allow connections to specific Anthropic endpoints
|
||
|
|
for DOMAIN in api.anthropic.com statsig.anthropic.com sentry.io g.t1.xyz wg1.t1.xyz; do
|
||
|
|
echo "Allowing access to: $DOMAIN"
|
||
|
|
for IP in $(dig +short $DOMAIN); do
|
||
|
|
# Check if the result is actually an IP address
|
||
|
|
if [[ $IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||
|
|
iptables -A OUTPUT -p tcp -d $IP -j ACCEPT
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
done
|
||
|
|
|
||
|
|
# Verify the rules were applied
|
||
|
|
echo "Firewall rules successfully applied:"
|
||
|
|
iptables -L OUTPUT -n
|
||
|
|
|
||
|
|
echo "Container security configuration complete. Claude can now use --dangerously-skip-permissions safely."
|
||
|
|
|
||
|
|
CMDS="$@"
|
||
|
|
if [[ "$CMDS" == "" ]]; then
|
||
|
|
CMDS="/bin/bash"
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Execute the command provided as arguments (or start a shell by default)
|
||
|
|
exec sudo --user tb TERM=$TERM PULSE_SERVER=$PULSE_SERVER "$CMDS"
|