fix: restrict host gateway iptables bypass to allowed ports only

Mossaka · claude · Mossaka · commit 12683ac2e0d7 · 2026-02-06T23:46:18.000Z
The --enable-host-access flag added an iptables ACCEPT rule for
host.docker.internal with no port restriction, allowing agent code
to reach ANY service on the host (databases, admin panels, etc.)
and bypassing the dangerous-ports blocklist entirely.

Changes:
- Restrict host gateway FILTER ACCEPT to ports 80, 443, and any
  ports from --allow-host-ports (was: all ports)
- Apply same port restriction to network gateway bypass
- Add IPv4 format validation for dynamically resolved IPs before
  using them in iptables rules
- Mount chroot-hosts as read-only (:ro) since host.docker.internal
  is pre-injected by docker-manager.ts before mounting

The NAT RETURN rule (which prevents DNAT to Squid) is unchanged,
so MCP traffic still bypasses Squid correctly. Non-allowed port
traffic hits the final DROP rule in the FILTER chain.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/containers/agent/setup-iptables.sh b/containers/agent/setup-iptables.sh
@@ -11,6 +11,12 @@ is_ipv6() {
   [[ "$ip" == *:* ]]
 }
 
+# Function to validate an IPv4 address format (e.g., 172.17.0.1)
+is_valid_ipv4() {
+  local ip="$1"
+  echo "$ip" | grep -qE '^([0-9]{1,3}\.){3}[0-9]{1,3}$'
+}
+
 # Function to check if ip6tables is available and functional
 has_ip6tables() {
   if command -v ip6tables &>/dev/null && ip6tables -L -n &>/dev/null; then
@@ -124,12 +130,28 @@ iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN
 # Bypass Squid for host.docker.internal when host access is enabled.
 # MCP gateway traffic to host.docker.internal gets DNAT'd to Squid,
 # where Squid fails with "Invalid URL" because rmcp sends relative URLs.
+# The NAT RETURN prevents DNAT to Squid (which would crash on MCP traffic).
+# The FILTER ACCEPT is restricted to allowed ports only (80, 443, and --allow-host-ports).
 if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then
   HOST_GATEWAY_IP=$(getent hosts host.docker.internal | awk 'NR==1 { print $1 }')
-  if [ -n "$HOST_GATEWAY_IP" ]; then
+  if [ -n "$HOST_GATEWAY_IP" ] && is_valid_ipv4 "$HOST_GATEWAY_IP"; then
     echo "[iptables] Allow direct traffic to host gateway (${HOST_GATEWAY_IP}) - bypassing Squid..."
+    # NAT: skip DNAT to Squid for all traffic to host gateway (prevents Squid crash)
     iptables -t nat -A OUTPUT -d "$HOST_GATEWAY_IP" -j RETURN
-    iptables -A OUTPUT -d "$HOST_GATEWAY_IP" -j ACCEPT
+    # FILTER: only allow standard ports (80, 443) to host gateway
+    iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 80 -j ACCEPT
+    iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 443 -j ACCEPT
+    # FILTER: also allow user-specified ports from --allow-host-ports
+    if [ -n "$AWF_ALLOW_HOST_PORTS" ]; then
+      IFS=',' read -ra HOST_PORTS <<< "$AWF_ALLOW_HOST_PORTS"
+      for port_spec in "${HOST_PORTS[@]}"; do
+        port_spec=$(echo "$port_spec" | xargs)
+        echo "[iptables]   Allow host gateway port $port_spec"
+        iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport "$port_spec" -j ACCEPT
+      done
+    fi
+  elif [ -n "$HOST_GATEWAY_IP" ]; then
+    echo "[iptables] WARNING: host.docker.internal resolved to invalid IP '${HOST_GATEWAY_IP}', skipping host gateway bypass"
   else
     echo "[iptables] WARNING: host.docker.internal could not be resolved, skipping host gateway bypass"
   fi
@@ -139,10 +161,20 @@ if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then
   # instead of the Docker bridge gateway (172.17.0.1). Without this bypass,
   # MCP Streamable HTTP traffic goes through Squid, which crashes on SSE connections.
   NETWORK_GATEWAY_IP=$(route -n | awk '/^0\.0\.0\.0/ { print $2; exit }')
-  if [ -n "$NETWORK_GATEWAY_IP" ] && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then
+  if [ -n "$NETWORK_GATEWAY_IP" ] && is_valid_ipv4 "$NETWORK_GATEWAY_IP" && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then
     echo "[iptables] Allow direct traffic to network gateway (${NETWORK_GATEWAY_IP}) - bypassing Squid..."
     iptables -t nat -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j RETURN
     iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport 80 -j ACCEPT
+    iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport 443 -j ACCEPT
+    if [ -n "$AWF_ALLOW_HOST_PORTS" ]; then
+      IFS=',' read -ra NET_GW_PORTS <<< "$AWF_ALLOW_HOST_PORTS"
+      for port_spec in "${NET_GW_PORTS[@]}"; do
+        port_spec=$(echo "$port_spec" | xargs)
+        iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport "$port_spec" -j ACCEPT
+      done
+    fi
+  elif [ -n "$NETWORK_GATEWAY_IP" ] && ! is_valid_ipv4 "$NETWORK_GATEWAY_IP"; then
+    echo "[iptables] WARNING: network gateway resolved to invalid IP '${NETWORK_GATEWAY_IP}', skipping"
   fi
 fi
 
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
@@ -774,7 +774,7 @@ describe('docker-manager', () => {
       expect(volumes).toContain('/etc/nsswitch.conf:/host/etc/nsswitch.conf:ro');
     });
 
-    it('should mount writable chroot-hosts when enableChroot and enableHostAccess are true', () => {
+    it('should mount read-only chroot-hosts when enableChroot and enableHostAccess are true', () => {
       // Ensure workDir exists for chroot-hosts file creation
       fs.mkdirSync(mockConfig.workDir, { recursive: true });
       try {
@@ -787,11 +787,10 @@ describe('docker-manager', () => {
         const agent = result.services.agent;
         const volumes = agent.volumes as string[];
 
-        // Should mount a writable copy of /etc/hosts (not the read-only original)
+        // Should mount a read-only copy of /etc/hosts with host.docker.internal pre-injected
         const hostsVolume = volumes.find((v: string) => v.includes('/host/etc/hosts'));
         expect(hostsVolume).toBeDefined();
-        expect(hostsVolume).toContain('chroot-hosts:/host/etc/hosts');
-        expect(hostsVolume).not.toContain(':ro');
+        expect(hostsVolume).toContain('chroot-hosts:/host/etc/hosts:ro');
       } finally {
         fs.rmSync(mockConfig.workDir, { recursive: true, force: true });
       }
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -521,7 +521,7 @@ export function generateDockerCompose(
         logger.debug(`Could not resolve Docker bridge gateway: ${err}`);
       }
       fs.chmodSync(chrootHostsPath, 0o644);
-      agentVolumes.push(`${chrootHostsPath}:/host/etc/hosts`);
+      agentVolumes.push(`${chrootHostsPath}:/host/etc/hosts:ro`);
     } else {
       agentVolumes.push('/etc/hosts:/host/etc/hosts:ro');
     }

Original file line number	Diff line number	Diff line change
`@@ -521,7 +521,7 @@ export function generateDockerCompose(`
`521`	`521`	logger.debug(`Could not resolve Docker bridge gateway: ${err}`);
`522`	`522`	`}`
`523`	`523`	`fs.chmodSync(chrootHostsPath, 0o644);`
`524`		- agentVolumes.push(`${chrootHostsPath}:/host/etc/hosts`);
	`524`	+ agentVolumes.push(`${chrootHostsPath}:/host/etc/hosts:ro`);
`525`	`525`	`} else {`
`526`	`526`	`agentVolumes.push('/etc/hosts:/host/etc/hosts:ro');`
`527`	`527`	`}`