#!/bin/bash
set -e

echo "Initializing container security settings..."

# Reset iptables
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP  # Default to blocking all outbound connections

# Allow local connections
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS lookups (required to resolve domains)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

# Allow connections to specific Anthropic endpoints
for DOMAIN in api.anthropic.com statsig.anthropic.com sentry.io g.t1.xyz wg1.t1.xyz; do
  echo "Allowing access to: $DOMAIN"
  for IP in $(dig +short $DOMAIN); do
    # Check if the result is actually an IP address
    if [[ $IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      iptables -A OUTPUT -p tcp -d $IP -j ACCEPT
    fi
  done
done

# Verify the rules were applied
echo "Firewall rules successfully applied:"
iptables -L OUTPUT -n

echo "Container security configuration complete. Claude can now use --dangerously-skip-permissions safely."

CMDS="$@"
if [[ "$CMDS" == "" ]]; then
    CMDS="/bin/bash"
fi

# Execute the command provided as arguments (or start a shell by default)
exec sudo --user tb TERM=$TERM PULSE_SERVER=$PULSE_SERVER "$CMDS"