From e2cea5542b18122adc7d4c2963193c1688e2eca8 Mon Sep 17 00:00:00 2001 From: Tord-Vincent Heggland Date: Sun, 10 May 2026 13:45:13 +0200 Subject: [PATCH] examples --- .gitignore | 3 --- chains/.gitignore | 3 --- chains/.gitkeep | 0 chains/ai-sandbox.sh | 14 ++++++++++++++ hooks/.gitignore | 3 --- hooks/.gitkeep | 0 hooks/ai-sandbox-StartPre.sh | 8 ++++++++ hooks/ai-sandbox-StopPost.sh | 5 +++++ 8 files changed, 27 insertions(+), 9 deletions(-) delete mode 100644 chains/.gitignore delete mode 100644 chains/.gitkeep create mode 100755 chains/ai-sandbox.sh delete mode 100644 hooks/.gitignore delete mode 100644 hooks/.gitkeep create mode 100755 hooks/ai-sandbox-StartPre.sh create mode 100755 hooks/ai-sandbox-StopPost.sh diff --git a/.gitignore b/.gitignore index 29bdfc7..e69de29 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +0,0 @@ -hooks -chains - diff --git a/chains/.gitignore b/chains/.gitignore deleted file mode 100644 index bf27f31..0000000 --- a/chains/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -* -!.gitignore -!.gitkeep diff --git a/chains/.gitkeep b/chains/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/chains/ai-sandbox.sh b/chains/ai-sandbox.sh new file mode 100755 index 0000000..522b1b9 --- /dev/null +++ b/chains/ai-sandbox.sh @@ -0,0 +1,14 @@ +FW_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +source "$FW_DIR/lib.sh" + + +ensure_chain ai-sandbox-input +ensure_chain ai-sandbox-forward + +add_rule ai-sandbox-input -s 10.77.0.150 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +add_rule ai-sandbox-input -s 10.77.0.150 -j REJECT --reject-with icmp-port-unreachable + +add_rule ai-sandbox-forward -s 10.77.0.150 -d 10.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable +add_rule ai-sandbox-forward -s 10.77.0.150 -d 172.16.0.0/12 -j REJECT --reject-with icmp-port-unreachable +add_rule ai-sandbox-forward -s 10.77.0.150 -d 192.168.0.0/16 -j REJECT --reject-with icmp-port-unreachable +add_rule ai-sandbox-forward -s 10.77.0.150 -j ACCEPT diff --git a/hooks/.gitignore b/hooks/.gitignore deleted file mode 100644 index bf27f31..0000000 --- a/hooks/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -* -!.gitignore -!.gitkeep diff --git a/hooks/.gitkeep b/hooks/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/hooks/ai-sandbox-StartPre.sh b/hooks/ai-sandbox-StartPre.sh new file mode 100755 index 0000000..ebb5dd1 --- /dev/null +++ b/hooks/ai-sandbox-StartPre.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -euo pipefail + +iptables -C INPUT -s 10.77.0.150 -j ai-sandbox-input 2>/dev/null \ + || iptables -I INPUT 1 -s 10.77.0.150 -j ai-sandbox-input + +iptables -C FORWARD -s 10.77.0.150 -j ai-sandbox-forward 2>/dev/null \ + || iptables -I FORWARD 1 -s 10.77.0.150 -j ai-sandbox-forward diff --git a/hooks/ai-sandbox-StopPost.sh b/hooks/ai-sandbox-StopPost.sh new file mode 100755 index 0000000..a1b481d --- /dev/null +++ b/hooks/ai-sandbox-StopPost.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +set -euo pipefail + +iptables -D INPUT -s 10.77.0.150 -j ai-sandbox-input 2>/dev/null || true +iptables -D FORWARD -s 10.77.0.150 -j ai-sandbox-forward 2>/dev/null || true