Initial release: DictIA v0.8.14-alpha (fork de Speakr, AGPL-3.0)

deployment/security/iptables-rules.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# DictIA — iptables rules for cloud VPS
+#
+# Allows Docker internal traffic to reach the ASR proxy on port 9090.
+# Blocks direct external access to Docker container IPs.
+# Tailscale + UFW handle the main firewall — this script adds Docker-specific rules.
+#
+# Usage: sudo bash iptables-rules.sh
+set -euo pipefail
+
+echo "=== DictIA iptables rules ==="
+
+# Allow Docker containers (172.16.0.0/12) to reach ASR proxy on port 9090
+# This rule goes BEFORE the default DROP policy so containers can talk to the proxy
+iptables -C INPUT -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT 2>/dev/null \
+    || iptables -I INPUT 1 -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT
+
+# Block direct external access to Docker container IPs (raw table, before conntrack)
+# Protects containers on non-default bridge networks (e.g., dictia-network)
+for NETWORK_ID in $(docker network ls --filter driver=bridge --format '{{.ID}}' 2>/dev/null); do
+    BRIDGE=$(docker network inspect "$NETWORK_ID" --format '{{.Options.com.docker.network.bridge.name}}' 2>/dev/null || echo "")
+    [ -z "$BRIDGE" ] && continue
+    [ "$BRIDGE" = "docker0" ] && continue
+
+    for CONTAINER_IP in $(docker network inspect "$NETWORK_ID" \
+        --format '{{range .Containers}}{{.IPv4Address}} {{end}}' 2>/dev/null); do
+        IP="${CONTAINER_IP%/*}"
+        [ -z "$IP" ] && continue
+        iptables -t raw -C PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP 2>/dev/null \
+            || iptables -t raw -A PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP
+        echo "  Protected $IP on $BRIDGE"
+    done
+done
+
+echo "Rules applied. Tailscale + Docker internal traffic allowed."
+echo "Verify with: sudo iptables -L -n -t raw"