put add/block/add logic in same order as iptables rules

joecorall · joecorall · commit ed7fd19e1970 · 2025-12-06T07:03:06.000-05:00
diff --git a/init-firewall.sh b/init-firewall.sh
@@ -13,8 +13,9 @@ iptables -t nat -X
 iptables -t mangle -F
 iptables -t mangle -X
 ipset destroy github-anthropic 2>/dev/null || true
+ipset destroy google-all-ips 2>/dev/null || true
+ipset destroy google-customer-ips 2>/dev/null || true
 
-# 2. Selectively restore ONLY internal Docker DNS resolution
 if [ -n "$DOCKER_DNS_RULES" ]; then
     echo "Restoring Docker DNS rules..."
     iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
@@ -24,20 +25,13 @@ else
     echo "No Docker DNS rules to restore"
 fi
 
-# First allow DNS and localhost before any restrictions
-# Allow outbound DNS
 iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-# Allow inbound DNS responses
 iptables -A INPUT -p udp --sport 53 -j ACCEPT
-# Allow outbound SSH
 iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-# Allow inbound SSH responses
 iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-# Allow localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
-# Create ipset with CIDR support
 ipset create github-anthropic hash:net
 ipset create google-all-ips hash:net
 ipset create google-customer-ips hash:net
@@ -53,46 +47,6 @@ if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
     echo "ERROR: GitHub API response missing required fields"
     exit 1
 fi
-
-GOOGLE_ALL_IP_URL="https://www.gstatic.com/ipranges/goog.json"
-GOOGLE_CLOUD_CUSTOMER_IP_URL="https://www.gstatic.com/ipranges/cloud.json"
-
-echo "Fetching Google All IPs (goog.json)..."
-goog_ips=$(curl -s $GOOGLE_ALL_IP_URL)
-if [ -z "$goog_ips" ]; then
-    echo "ERROR: Failed to fetch Google All IPs"
-    exit 1
-fi
-
-echo "Fetching Google Cloud Customer IPs (cloud.json)..."
-cloud_ips=$(curl -s $GOOGLE_CLOUD_CUSTOMER_IP_URL)
-if [ -z "$cloud_ips" ]; then
-    echo "ERROR: Failed to fetch Google Cloud Customer IPs"
-    exit 1
-fi
-
-echo "Populating goog-all-ips ipset..."
-GOOG_NETBLOCKS=$(echo "$goog_ips" | jq -r '.prefixes[] | select(.ipv4Prefix) | .ipv4Prefix' | aggregate -q)
-if [ -z "$GOOG_NETBLOCKS" ]; then
-    echo "ERROR: No IPv4 prefixes found in goog.json"
-    exit 1
-fi
-
-while read -r cidr; do
-    echo "Adding Google range $cidr"
-    ipset add google-all-ips "$cidr" 2>/dev/null || true
-done < <(echo "$GOOG_NETBLOCKS")
-
-CLOUD_NETBLOCKS=$(echo "$cloud_ips" | jq -r '.prefixes[] | select(.ipv4Prefix) | .ipv4Prefix' | aggregate -q)
-if [ -z "$CLOUD_NETBLOCKS" ]; then
-    echo "ERROR: No IPv4 prefixes found in cloud.json"
-    exit 1
-fi
-while read -r cidr; do
-    echo "Blocking Google range $cidr"
-    ipset add google-customer-ips "$cidr" 2>/dev/null || true
-done < <(echo "$CLOUD_NETBLOCKS")
-
 echo "Processing GitHub IPs..."
 while read -r cidr; do
     if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
@@ -103,7 +57,6 @@ while read -r cidr; do
     ipset add github-anthropic "$cidr"
 done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q)
 
-# Resolve and add other allowed domains
 for domain in \
     "api.anthropic.com" \
     "generativelanguage.googleapis.com" \
@@ -125,34 +78,67 @@ for domain in \
     done < <(echo "$ips")
 done
 
-# Get host IP from default route
+GOOGLE_CLOUD_CUSTOMER_IP_URL="https://www.gstatic.com/ipranges/cloud.json"
+echo "Fetching gcloud customer IPs $GOOGLE_CLOUD_CUSTOMER_IP_URL."
+cloud_ips=$(curl -s $GOOGLE_CLOUD_CUSTOMER_IP_URL)
+if [ -z "$cloud_ips" ]; then
+    echo "ERROR: Failed to fetch Google Cloud Customer IPs"
+    exit 1
+fi
+CLOUD_NETBLOCKS=$(echo "$cloud_ips" | jq -r '.prefixes[] | select(.ipv4Prefix) | .ipv4Prefix' | aggregate -q)
+if [ -z "$CLOUD_NETBLOCKS" ]; then
+    echo "ERROR: No IPv4 prefixes found in cloud.json"
+    exit 1
+fi
+while read -r cidr; do
+    echo "Blocking Google range $cidr"
+    ipset add google-customer-ips "$cidr" 2>/dev/null || true
+done < <(echo "$CLOUD_NETBLOCKS")
+
+# Get all IPs in Google Cloud
+GOOGLE_ALL_IP_URL="https://www.gstatic.com/ipranges/goog.json"
+echo "Fetching gcloud full ip ranges $GOOGLE_ALL_IP_URL."
+goog_ips=$(curl -s $GOOGLE_ALL_IP_URL)
+if [ -z "$goog_ips" ]; then
+    echo "ERROR: Failed to fetch Google All IPs"
+    exit 1
+fi
+echo "Populating goog-all-ips ipset..."
+GOOG_NETBLOCKS=$(echo "$goog_ips" | jq -r '.prefixes[] | select(.ipv4Prefix) | .ipv4Prefix' | aggregate -q)
+if [ -z "$GOOG_NETBLOCKS" ]; then
+    echo "ERROR: No IPv4 prefixes found in goog.json"
+    exit 1
+fi
+while read -r cidr; do
+    echo "Adding Google range $cidr"
+    ipset add google-all-ips "$cidr" 2>/dev/null || true
+done < <(echo "$GOOG_NETBLOCKS")
+
+
 HOST_IP=$(ip route | grep default | cut -d" " -f3)
 if [ -z "$HOST_IP" ]; then
     echo "ERROR: Failed to detect host IP"
     exit 1
 fi
-
 HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
 echo "Host network detected as: $HOST_NETWORK"
 
-# Set up remaining iptables rules
 iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
 iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
-
-# Set default policies to DROP first
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
-
-# First allow established connections for already approved traffic
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Allow GitHub and Anthropic
 iptables -A OUTPUT -m set --match-set github-anthropic dst -j ACCEPT
-# Block all Google Cloud customer IPs (do not include github/anthropic)
+# Block all Google Cloud customer IPs
+# since this rule is after github-anthropic ACCEPT it shouldn't block any IPs in both sets
 iptables -A OUTPUT -m set --match-set google-customer-ips dst -j REJECT --reject-with icmp-admin-prohibited
 # Allow complement of All Google IPs and Customer Google Cloud IPs
+# since this rule is after google-customer-ips REJECT it should allow
+# IPs used by google not assigned to customers
 iptables -A OUTPUT -m set --match-set google-all-ips dst -j ACCEPT
 
 # Explicitly REJECT all other outbound traffic for immediate feedback
@@ -166,8 +152,6 @@ if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
 else
     echo "Firewall verification passed - unable to reach https://example.com as expected"
 fi
-
-# Verify GitHub API access
 if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
     echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
     exit 1
