diff --git a/sandboxes/base/Dockerfile b/sandboxes/base/Dockerfile
index 8d62d42..8662412 100644
--- a/sandboxes/base/Dockerfile
+++ b/sandboxes/base/Dockerfile
@@ -21,6 +21,7 @@ WORKDIR /sandbox
 
 # Core system dependencies
 # iproute2: network namespace management (ip netns, veth pairs)
+# iptables: bypass detection — LOG + REJECT rules for direct connection diagnostics
 # dnsutils: dig, nslookup
 # Python is managed entirely by uv (see devtools stage).
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -28,6 +29,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         curl \
         dnsutils \
         iproute2 \
+        iptables \
         iputils-ping \
         net-tools \
         netcat-openbsd \