#!/bin/bash
# Block external (internet) access to Docker-published container ports.
# Host nginx reaches containers over loopback (127.0.0.1), so dropping NEW
# inbound from the public uplink (ens18) into the Docker FORWARD path closes
# the accidental 0.0.0.0 exposure (postgres 5432, forgejo 3022, listmonk
# 9100/9101, api 3001/3002, etc.) without breaking nginx->container or
# container->container/internet traffic.
set -euo pipefail
UPLINK=ens18

# Trusted admin source IPs allowed to reach the forgejo container (host :3022
# DNATs to 172.18.0.2:22, so the post-DNAT dport is 22). Keep in sync with the
# nft 'trusted_admin' set in /etc/pw-firewall/pw-firewall.nft.
TRUSTED_ADMIN="76.228.206.147 24.162.76.14 207.174.124.51"

# Rebuild DOCKER-USER deterministically.
iptables -F DOCKER-USER 2>/dev/null || true
iptables -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
# Allow trusted admins to git/forgejo (post-DNAT dport 22) before the drop.
for ip in $TRUSTED_ADMIN; do
  iptables -A DOCKER-USER -i "$UPLINK" -s "$ip" -p tcp --dport 22 -j RETURN
done
iptables -A DOCKER-USER -i "$UPLINK" -m conntrack --ctstate NEW,INVALID -j DROP
iptables -A DOCKER-USER -j RETURN
echo "DOCKER-USER rules:"
iptables -L DOCKER-USER -n -v --line-numbers