From ab2e9356c8686340077061520a967b5f737c210b Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Wed, 11 Feb 2026 12:14:31 +0530 Subject: [PATCH 1/5] ignoring local folders --- .gitignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3aaaad7..9e06fcf 100644 --- a/.gitignore +++ b/.gitignore @@ -19,4 +19,7 @@ coverage.txt .vscode/ vendor -private-src \ No newline at end of file +private-src + +dist +local \ No newline at end of file From 286a6a1802324637138a2d1f1d29812c7359389a Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Wed, 11 Feb 2026 12:15:33 +0530 Subject: [PATCH 2/5] allow connection to dns_server ips on 443 from agentUID only --- firewall.go | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/firewall.go b/firewall.go index e6e6bbf..69e7560 100644 --- a/firewall.go +++ b/firewall.go @@ -2,6 +2,7 @@ package main import ( "fmt" + "os" "github.com/coreos/go-iptables/iptables" "github.com/pkg/errors" @@ -88,12 +89,20 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net } // Agent uses HTTPs to resolve domain names - for _, dnsServer := range dnsServers { - err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp, - destination, dnsServer, target, accept) - - if err != nil { - return errors.Wrapf(err, "failed to add rule for DNS server %s", dnsServer) + // Only apply UID filtering for OUTPUT chain + if chain == outputChain { + agentUID := fmt.Sprintf("%d", os.Getuid()) + for _, dnsServer := range dnsServers { + err = ipt.Insert(filterTable, chain, 1, direction, netInterface, + "-m", "owner", "--uid-owner", agentUID, + protocol, "tcp", + destination, dnsServer, + destinationPort, "443", + target, accept) + + if err != nil { + return errors.Wrapf(err, "failed to add rule for DNS server %s", dnsServer) + } } } From 9396277656fa04f9f8a1dc5d797a49bdd384ff13 Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Wed, 11 Feb 2026 13:50:20 +0530 Subject: [PATCH 3/5] clarified rule position --- firewall.go | 1 + 1 file changed, 1 insertion(+) diff --git a/firewall.go b/firewall.go index 69e7560..496e2dd 100644 --- a/firewall.go +++ b/firewall.go @@ -90,6 +90,7 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net // Agent uses HTTPs to resolve domain names // Only apply UID filtering for OUTPUT chain + // Insert DNS server rules at position 1 (top of chain) to ensure they're evaluated first if chain == outputChain { agentUID := fmt.Sprintf("%d", os.Getuid()) for _, dnsServer := range dnsServers { From d8c2843f94a47ae9e8b731d9023ebd89c6480a7d Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Thu, 12 Feb 2026 13:26:25 +0530 Subject: [PATCH 4/5] shifted location and append dns_server rules --- firewall.go | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/firewall.go b/firewall.go index 496e2dd..2a11319 100644 --- a/firewall.go +++ b/firewall.go @@ -78,23 +78,12 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net } } - for _, endpoint := range endpoints { - err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp, - destination, endpoint.ipAddress, - destinationPort, endpoint.port, target, accept) - - if err != nil { - return errors.Wrap(err, fmt.Sprintf("failed to append endpoint rule ip:%s, port:%s", endpoint.ipAddress, endpoint.port)) - } - } - // Agent uses HTTPs to resolve domain names // Only apply UID filtering for OUTPUT chain - // Insert DNS server rules at position 1 (top of chain) to ensure they're evaluated first if chain == outputChain { agentUID := fmt.Sprintf("%d", os.Getuid()) for _, dnsServer := range dnsServers { - err = ipt.Insert(filterTable, chain, 1, direction, netInterface, + err = ipt.Append(filterTable, chain, direction, netInterface, "-m", "owner", "--uid-owner", agentUID, protocol, "tcp", destination, dnsServer, @@ -107,6 +96,16 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net } } + for _, endpoint := range endpoints { + err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp, + destination, endpoint.ipAddress, + destinationPort, endpoint.port, target, accept) + + if err != nil { + return errors.Wrap(err, fmt.Sprintf("failed to append endpoint rule ip:%s, port:%s", endpoint.ipAddress, endpoint.port)) + } + } + // Allow AzureIPAddress err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp, destination, AzureIPAddress, target, accept) From efd59c8db02665580e7897f3d8b8f457287ab791 Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Thu, 12 Feb 2026 13:40:42 +0530 Subject: [PATCH 5/5] update --- firewall.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall.go b/firewall.go index 2a11319..19c1fad 100644 --- a/firewall.go +++ b/firewall.go @@ -85,7 +85,7 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net for _, dnsServer := range dnsServers { err = ipt.Append(filterTable, chain, direction, netInterface, "-m", "owner", "--uid-owner", agentUID, - protocol, "tcp", + protocol, tcp, destination, dnsServer, destinationPort, "443", target, accept)