examples

2026-05-10 13:45:13 +02:00
parent 6fa2e985c5
commit e2cea5542b
8 changed files with 27 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +0,0 @@
-hooks
-chains
-
--- a/chains/.gitignore
+++ b/chains/.gitignore
@@ -1,3 +0,0 @@
-*
-!.gitignore
-!.gitkeep
--- a/chains/.gitkeep
+++ b/chains/.gitkeep
--- a/chains/ai-sandbox.sh
+++ b/chains/ai-sandbox.sh
@@ -0,0 +1,14 @@
+FW_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+source "$FW_DIR/lib.sh"
+
+
+ensure_chain ai-sandbox-input
+ensure_chain ai-sandbox-forward
+
+add_rule ai-sandbox-input -s 10.77.0.150 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+add_rule ai-sandbox-input -s 10.77.0.150 -j REJECT --reject-with icmp-port-unreachable
+
+add_rule ai-sandbox-forward -s 10.77.0.150 -d 10.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
+add_rule ai-sandbox-forward -s 10.77.0.150 -d 172.16.0.0/12 -j REJECT --reject-with icmp-port-unreachable
+add_rule ai-sandbox-forward -s 10.77.0.150 -d 192.168.0.0/16 -j REJECT --reject-with icmp-port-unreachable
+add_rule ai-sandbox-forward -s 10.77.0.150 -j ACCEPT
--- a/hooks/.gitignore
+++ b/hooks/.gitignore
@@ -1,3 +0,0 @@
-*
-!.gitignore
-!.gitkeep
--- a/hooks/.gitkeep
+++ b/hooks/.gitkeep
--- a/hooks/ai-sandbox-StartPre.sh
+++ b/hooks/ai-sandbox-StartPre.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+iptables -C INPUT -s 10.77.0.150 -j ai-sandbox-input 2>/dev/null \
+  || iptables -I INPUT 1 -s 10.77.0.150 -j ai-sandbox-input
+
+iptables -C FORWARD -s 10.77.0.150 -j ai-sandbox-forward 2>/dev/null \
+  || iptables -I FORWARD 1 -s 10.77.0.150 -j ai-sandbox-forward
--- a/hooks/ai-sandbox-StopPost.sh
+++ b/hooks/ai-sandbox-StopPost.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+iptables -D INPUT -s 10.77.0.150 -j ai-sandbox-input 2>/dev/null || true
+iptables -D FORWARD -s 10.77.0.150 -j ai-sandbox-forward 2>/dev/null || true