Add permanent kill switch and redirect stderr and stdout for up check

[ProgramComputer]

linux-cli-community may be unmantained. Resolves #5 by adding package iptables.

Adds experimental kill-switch separate from the cli to container. Permanent kill switch is set to default. The killswitch is ip-agnostic relying on processes and interfaces(eth0 and proton0) and supports ipv6 from using nftables.

Below was the initial nfttable configure file but took space using sets even when size of 65535 is sufficient above 128, it would hinder configurability. Privoxy also recommends not to run as root. Finally manually enabling the cli killswitch may cause unexpected results.
Not tested in swarm mode.

#!/bin/env net -f
table inet filter {
  set eth0_clients4 {                                                 
        type ipv4_addr  
  size 65535                                              
        flags timeout         
gc-interval 1d                           
    }           

set eth0_clients6 {                                                 
        type ipv6_addr    
  size 65535                                            
        flags timeout          
gc-interval 1d                          
    }           

    chain input {
        type filter hook input priority 0; policy drop;
	iif lo accept
        # Add IP addresses to the eth0_clients set when clients connect
        add @eth0_clients4 {ip saddr} 
        add @eth0_clients6 {ip6 saddr} 

        # Allow incoming traffic from eth0 to Privoxy (IPv4)
        iifname "eth0" ip saddr @eth0_clients4 accept

        # Allow incoming traffic from eth0 to Privoxy (IPv6)
        iifname "eth0" ip6 saddr @eth0_clients6 accept

        # Allow established and related traffic
        ct state established,related accept

        # Drop everything else
        drop
    }

   chain output {
    type filter hook output priority 0; policy drop;
    
	oif lo accept
	oif eth0 skuid root accept

          # Allow established and related traffic
	ct state established,related accept
        
# Drop eth0 loopbacks
	ip saddr @eth0_clients4 drop
	ip6 saddr @eth0_clients6 drop
    # Remove IP addresses from the eth0_clients set when traffic goes out on proton0 (IPv4)
     oifname proton0 ip daddr @eth0_clients4 
	delete @eth0_clients4  {ip daddr }

    # Remove IP addresses from the eth0_clients set when traffic goes out on proton0 (IPv6)
     oifname proton0 ip6 daddr @eth0_clients6 
	delete @eth0_clients6  {ip6 daddr }

    # Allow outgoing traffic on the proton0 interface 
    oifname "proton0" accept

    # Drop everything else
    drop
}

}

Minor change was from seeing #36 and preventing some redundant output.

[walterl]

Thanks so much for this valuable contribution. ❤️

Left some comments for minor changes, and a question or two that I'm unsure about.

Please also bump the version in the Dockerfile to 0.5.0 in all these places:

❯ ag 0.4
test/docker_secrets_test/test.sh:3:#docker build -t walt3rl/proton-privoxy:0.4.2-dev ../..
Dockerfile:3:LABEL version="0.4.2"
test/docker_secrets_test/docker-compose.yml:4:    image: walt3rl/proton-privoxy:0.4.2-dev
.github/workflows/docker.yml:39:            walt3rl/proton-privoxy:0.4.2

[walterl]

Why do we want to allow incoming connections?

[ProgramComputer]

The first line can be removed; I left it for future testing purposes.
The second line is to initially connect with privoxy; otherwise no incoming connection can be made except outgoing from within the proxy. Try replacing with iif eth0 skuid privoxyu accept, but I think the functionality won't change significantly.

[walterl]

I understand what this does, but not clear on why we would and to allow incoming connections at all. The connection to setup the VPN is outgoing, as is all connections using the VPN, right?

In fact, shouldn't the new on this line be added to the corresponding output rule? Otherwise no new connection can be made from this container.

[ProgramComputer]

Yes, outgoing connections can already be made as proton0 allows it, but to connect to privoxy as a proxy incoming connection of some form has to be allowed; otherwise, it's not a proxy, but a direct VPN connection from within. I recommend testing your edge cases and letting me know.

[walterl]

Right. That makes sense, but it still seems odd that all incoming connections are allowed, and no outgoing ones. I'll test it out a bit.