shithub Public

Watch 1 Fork 0 Star 0

Text · 922 bytes Raw Blame History

  
        1
        #!/bin/sh
      
        2
        # Managed by Ansible. Enforces deny-by-default egress for the Actions bridge.
      
        3
        set -eu
      
        4
        
        5
        IPSET="{{ shithub_runner_ipset_name }}"
      
        6
        CHAIN="SHITHUB_ACTIONS_EGRESS"
      
        7
        SUBNET="{{ shithub_runner_network_subnet }}"
      
        8
        DNS="{{ shithub_runner_network_gateway }}"
      
        9
        
        10
        IPSET_BIN="${IPSET_BIN:-ipset}"
      
        11
        IPTABLES="${IPTABLES:-iptables}"
      
        12
        
        13
        "$IPSET_BIN" create "$IPSET" hash:ip family inet timeout 86400 -exist
      
        14
        
        15
        "$IPTABLES" -w -N "$CHAIN" 2>/dev/null || true
      
        16
        "$IPTABLES" -w -F "$CHAIN"
      
        17
        "$IPTABLES" -w -A "$CHAIN" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      
        18
        "$IPTABLES" -w -A "$CHAIN" -d "$DNS" -p udp --dport 53 -j ACCEPT
      
        19
        "$IPTABLES" -w -A "$CHAIN" -d "$DNS" -p tcp --dport 53 -j ACCEPT
      
        20
        "$IPTABLES" -w -A "$CHAIN" -m set --match-set "$IPSET" dst -j ACCEPT
      
        21
        "$IPTABLES" -w -A "$CHAIN" -j REJECT
      
        22
        
        23
        while "$IPTABLES" -w -D FORWARD -s "$SUBNET" -j "$CHAIN" 2>/dev/null; do
      
        24
            :
      
        25
        done
      
        26
        "$IPTABLES" -w -I FORWARD 1 -s "$SUBNET" -j "$CHAIN"

1	#!/bin/sh
2	# Managed by Ansible. Enforces deny-by-default egress for the Actions bridge.
3	set -eu
4
5	IPSET="{{ shithub_runner_ipset_name }}"
6	CHAIN="SHITHUB_ACTIONS_EGRESS"
7	SUBNET="{{ shithub_runner_network_subnet }}"
8	DNS="{{ shithub_runner_network_gateway }}"
9
10	IPSET_BIN="${IPSET_BIN:-ipset}"
11	IPTABLES="${IPTABLES:-iptables}"
12
13	"$IPSET_BIN" create "$IPSET" hash:ip family inet timeout 86400 -exist
14
15	"$IPTABLES" -w -N "$CHAIN" 2>/dev/null \|\| true
16	"$IPTABLES" -w -F "$CHAIN"
17	"$IPTABLES" -w -A "$CHAIN" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
18	"$IPTABLES" -w -A "$CHAIN" -d "$DNS" -p udp --dport 53 -j ACCEPT
19	"$IPTABLES" -w -A "$CHAIN" -d "$DNS" -p tcp --dport 53 -j ACCEPT
20	"$IPTABLES" -w -A "$CHAIN" -m set --match-set "$IPSET" dst -j ACCEPT
21	"$IPTABLES" -w -A "$CHAIN" -j REJECT
22
23	while "$IPTABLES" -w -D FORWARD -s "$SUBNET" -j "$CHAIN" 2>/dev/null; do
24	:
25	done
26	"$IPTABLES" -w -I FORWARD 1 -s "$SUBNET" -j "$CHAIN"