chore(sandbox): add iptables to base image for bypass diagnostics (#36)

The sandbox supervisor will use iptables to install LOG + REJECT rules
in the network namespace, providing immediate ECONNREFUSED (instead of
30s timeout) and structured diagnostic events when processes attempt
direct connections that bypass the HTTP CONNECT proxy.

Ref: NVIDIA/OpenShell#268

Co-authored-by: John Myers <9696606+jomyers@users.noreply.github.com>

Author: johntmyers

sandboxes/base/Dockerfile

@@ -21,13 +21,15 @@ WORKDIR /sandbox
 
 # Core system dependencies
 # iproute2: network namespace management (ip netns, veth pairs)
+# iptables: bypass detection — LOG + REJECT rules for direct connection diagnostics
 # dnsutils: dig, nslookup
 # Python is managed entirely by uv (see devtools stage).
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dnsutils \
         iproute2 \
+        iptables \
         iputils-ping \
         net-tools \
         netcat-openbsd \