From 0ecf8eee2bb4d8cd1f00750b12e6c4bbf2e73c43 Mon Sep 17 00:00:00 2001
From: Bryce Adelstein Lelbach aka wash <brycelelbach@gmail.com>
Date: Wed, 4 Feb 2026 14:26:43 -0500
Subject: [PATCH] Modify iptables rules to allow exgress traffic from within
 the container. See BREV-2599.

---
 v1/providers/shadeform/firewall.go | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go
index 693a18c..445bd55 100644
--- a/v1/providers/shadeform/firewall.go
+++ b/v1/providers/shadeform/firewall.go
@@ -15,10 +15,26 @@ const (
 	ufwDefaultAllowPort2222 = "ufw allow 2222/tcp"
 	ufwForceEnable          = "ufw --force enable"
 
+	// Clear DOCKER-USER policy.
 	ipTablesResetDockerUserChain            = "iptables -F DOCKER-USER"
-	ipTablesAllowDockerUserOutbound         = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+
+	// Allow return traffic.
+    ipTablesAllowDockerUserOutbound         = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+
+	// Allow containers to initiate outbound traffic (default bridge + user-defined bridges).
+	ipTablesAllowDockerUserOutboundInit0    = "iptables -A DOCKER-USER -i docker0 ! -o docker0 -j ACCEPT"
+	ipTablesAllowDockerUserOutboundInit1    = "iptables -A DOCKER-USER -i br+     ! -o br+     -j ACCEPT"
+
+    // Allow container-to-container on the same bridge.
+	ipTablesAllowDockerUserDockerToDocker0  = "iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT"
+    ipTablesAllowDockerUserDockerToDocker1  = "iptables -A DOCKER-USER -i br+     -o br+     -j ACCEPT"
+
+	// Allow inbound traffic on the loopback interface.
 	ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT"
+
+	// Drop everything else.
 	ipTablesDropDockerUserInbound           = "iptables -A DOCKER-USER -j DROP"
+
 	ipTablesReturnDockerUser                = "iptables -A DOCKER-USER -j RETURN"
 )
 
@@ -63,6 +79,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string {
 	commands := []string{
 		ipTablesResetDockerUserChain,
 		ipTablesAllowDockerUserOutbound,
+		ipTablesAllowDockerUserOutboundInit0,
+		ipTablesAllowDockerUserOutboundInit1,
+		ipTablesAllowDockerUserDockerToDocker0,
+		ipTablesAllowDockerUserDockerToDocker1,
 		ipTablesAllowDockerUserInpboundLoopback,
 		ipTablesDropDockerUserInbound,
 		ipTablesReturnDockerUser, // Expected by Docker