From 90e4fae240a6b6dcb62fd2e33e39e2050802c67b Mon Sep 17 00:00:00 2001
From: Bassem Dghaidi <568794+Link-@users.noreply.github.com>
Date: Fri, 30 Jan 2026 01:56:07 -0800
Subject: [PATCH] Rewrite and simplify

---
 .github/workflows/workflow.yml | 64 ++++++++++++++++++++++++++++++++--
 1 file changed, 62 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index 3dbbc6f..0a95749 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -90,15 +90,45 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: ubuntu:latest
-      options: --dns 127.0.0.1
+      options: --cap-add=NET_ADMIN --dns 127.0.0.1
     services:
       squid-proxy:
         image: ubuntu/squid:latest
         ports:
           - 3128:3128
     env:
+      http_proxy: http://squid-proxy:3128
       https_proxy: http://squid-proxy:3128
     steps:
+    - name: Install iptables
+      run: |
+        apt-get update
+        apt-get install -y iptables
+    - name: Block direct traffic (enforce proxy usage)
+      run: |
+        # Get the squid-proxy container IP
+        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
+        echo "Proxy IP: $PROXY_IP"
+        
+        # Allow loopback traffic
+        iptables -A OUTPUT -o lo -j ACCEPT
+        
+        # Allow traffic to the proxy container
+        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
+        
+        # Allow established connections
+        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+        
+        # Allow DNS (needed for initial resolution)
+        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+        
+        # Block all other outbound traffic (HTTP/HTTPS)
+        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
+        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
+        
+        # Log the iptables rules for debugging
+        iptables -L -v -n
     - name: Checkout
       uses: actions/checkout@v5
     - name: Generate files
@@ -114,15 +144,45 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: ubuntu:latest
-      options: --dns 127.0.0.1
+      options: --cap-add=NET_ADMIN --dns 127.0.0.1
     services:
       squid-proxy:
         image: ubuntu/squid:latest
         ports:
           - 3128:3128
     env:
+      http_proxy: http://squid-proxy:3128
       https_proxy: http://squid-proxy:3128
     steps:
+    - name: Install iptables
+      run: |
+        apt-get update
+        apt-get install -y iptables
+    - name: Block direct traffic (enforce proxy usage)
+      run: |
+        # Get the squid-proxy container IP
+        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
+        echo "Proxy IP: $PROXY_IP"
+        
+        # Allow loopback traffic
+        iptables -A OUTPUT -o lo -j ACCEPT
+        
+        # Allow traffic to the proxy container
+        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
+        
+        # Allow established connections
+        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+        
+        # Allow DNS (needed for initial resolution)
+        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+        
+        # Block all other outbound traffic (HTTP/HTTPS)
+        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
+        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
+        
+        # Log the iptables rules for debugging
+        iptables -L -v -n
     - name: Checkout
       uses: actions/checkout@v5
     - name: Restore cache