From 3beb1e360258ab47b672e2d6716ea0434dff7555 Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Fri, 13 Feb 2026 07:10:25 +0000
Subject: [PATCH 1/2] Initial plan


From 3e6d3f9d5b02d46a1f334bc69505e3f80b9bd5be Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Fri, 13 Feb 2026 07:13:15 +0000
Subject: [PATCH 2/2] fix(agent): use AWF_API_PROXY_IP env var for api-proxy
 iptables

Move api-proxy iptables rules to use pre-set AWF_API_PROXY_IP environment
variable instead of dynamic hostname resolution, and place FILTER rules in
the correct position (after NAT setup, before final DROP rule).

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
---
 containers/agent/setup-iptables.sh | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/containers/agent/setup-iptables.sh b/containers/agent/setup-iptables.sh
index 7a82f631..fef48b19 100644
--- a/containers/agent/setup-iptables.sh
+++ b/containers/agent/setup-iptables.sh
@@ -131,20 +131,17 @@ iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN
 # The agent needs to connect directly to api-proxy (not through Squid).
 # The api-proxy then routes outbound traffic through Squid to enforce domain whitelisting.
 # Architecture: agent -> api-proxy (direct) -> Squid -> internet
-if [ -n "$AWF_ENABLE_API_PROXY" ]; then
-  API_PROXY_IP=$(getent hosts api-proxy | awk 'NR==1 { print $1 }')
-  if [ -n "$API_PROXY_IP" ] && is_valid_ipv4 "$API_PROXY_IP"; then
-    echo "[iptables] Allow direct traffic to api-proxy (${API_PROXY_IP}) - bypassing Squid..."
+# Use AWF_API_PROXY_IP environment variable set by docker-manager (172.30.0.30)
+if [ -n "$AWF_ENABLE_API_PROXY" ] && [ -n "$AWF_API_PROXY_IP" ]; then
+  if is_valid_ipv4 "$AWF_API_PROXY_IP"; then
+    echo "[iptables] Allow direct traffic to api-proxy (${AWF_API_PROXY_IP}) - bypassing Squid..."
     # NAT: skip DNAT to Squid for all traffic to api-proxy
-    iptables -t nat -A OUTPUT -d "$API_PROXY_IP" -j RETURN
-    # FILTER: allow traffic to api-proxy ports (10000 for OpenAI, 10001 for Anthropic)
-    iptables -A OUTPUT -p tcp -d "$API_PROXY_IP" --dport 10000 -j ACCEPT
-    iptables -A OUTPUT -p tcp -d "$API_PROXY_IP" --dport 10001 -j ACCEPT
-  elif [ -n "$API_PROXY_IP" ]; then
-    echo "[iptables] WARNING: api-proxy resolved to invalid IP '${API_PROXY_IP}', skipping api-proxy bypass"
+    iptables -t nat -A OUTPUT -d "$AWF_API_PROXY_IP" -j RETURN
   else
-    echo "[iptables] WARNING: api-proxy could not be resolved, skipping api-proxy bypass"
+    echo "[iptables] WARNING: AWF_API_PROXY_IP has invalid format '${AWF_API_PROXY_IP}', skipping api-proxy bypass"
   fi
+elif [ -n "$AWF_ENABLE_API_PROXY" ]; then
+  echo "[iptables] WARNING: AWF_ENABLE_API_PROXY is set but AWF_API_PROXY_IP is not set"
 fi
 
 # Bypass Squid for host.docker.internal when host access is enabled.
@@ -283,9 +280,12 @@ iptables -A OUTPUT -p tcp -d 127.0.0.11 --dport 53 -j ACCEPT
 # Allow traffic to Squid proxy (after NAT redirection)
 iptables -A OUTPUT -p tcp -d "$SQUID_IP" -j ACCEPT
 
-# Allow traffic to API proxy sidecar (ports 10000/10001)
+# Allow traffic to API proxy sidecar (ports 10000 for OpenAI, 10001 for Anthropic)
+# Must be added before the final DROP rule
 if [ -n "$AWF_API_PROXY_IP" ]; then
-  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" -j ACCEPT
+  echo "[iptables] Allow traffic to api-proxy (${AWF_API_PROXY_IP}) ports 10000, 10001..."
+  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" --dport 10000 -j ACCEPT
+  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" --dport 10001 -j ACCEPT
 fi
 
 # Drop all other TCP traffic (default deny policy)