3434
3535CHAIN=" BAUDBOT_OUTPUT"
3636
37+ add_optional_rule () {
38+ if ! iptables -w " $@ " ; then
39+ echo " ⚠️ Optional firewall rule unsupported by kernel, skipping: iptables -w $* " >&2
40+ fi
41+ }
42+
3743echo " 🔒 Setting up firewall rules for $BAUDBOT_AGENT_USER (uid $UID_BAUDBOT )..."
3844
3945# Clean up any existing rules first
@@ -45,10 +51,10 @@ iptables -w -X "$CHAIN" 2>/dev/null || true
4551iptables -w -N " $CHAIN "
4652
4753# ── Logging (SYN + DNS only — low volume) ────────────────────────────────────
48- # Log all new outbound connections (SYN packets only to avoid flooding)
49- iptables -w -A " $CHAIN " -p tcp --syn -j LOG --log-prefix " baudbot-out: " --log-level info
50- # Log DNS queries
51- iptables -w -A " $CHAIN " " baudbot-dns: "
54+ # Some kernels (notably certain cloud Arch images) lack optional LOG/tcp xtables
55+ # modules. Treat logging rules as best-effort; the allow/drop policy is mandatory.
56+ add_optional_rule -A " $CHAIN " -p tcp --syn -j LOG --log-prefix " baudbot-out: " --log-level info
57+ add_optional_rule -A " $CHAIN " " baudbot-dns: "
5258
5359# ── Localhost: allow only specific services ──────────────────────────────────
5460
@@ -88,7 +94,7 @@ iptables -w -A "$CHAIN" -o lo -p tcp --dport 53 -j ACCEPT
8894iptables -w -A " $CHAIN "
8995
9096# Block everything else on localhost
91- iptables -w -A " $CHAIN " " BAUDBOT_LOCAL_BLOCKED: "
97+ add_optional_rule -A " $CHAIN " " BAUDBOT_LOCAL_BLOCKED: "
9298iptables -w -A " $CHAIN "
9399
94100# ── Internet: allow standard + dev ports ─────────────────────────────────────
@@ -118,7 +124,7 @@ iptables -w -A "$CHAIN" -p tcp --dport 4317:4318 -j ACCEPT
118124iptables -w -A " $CHAIN "
119125
120126# Log and drop everything else
121- iptables -w -A " $CHAIN " " BAUDBOT_BLOCKED: "
127+ add_optional_rule -A " $CHAIN " " BAUDBOT_BLOCKED: "
122128iptables -w -A " $CHAIN "
123129
124130# Jump to our chain for all baudbot_agent traffic
0 commit comments