fix: update iptables binary paths to use /usr/sbin instead of /sbin

Standardize iptables paths across firewall scripts and Go code to ensure compatibility with systems where iptables is located in /usr/sbin. This affects both legacy and non-legacy iptables binaries.

network-go/implementation.md

@@ -173,7 +173,7 @@ pid, _ := dockerClient.GetContainerPID(ctx, containerName)
 
 // 2. Execute iptables inside container namespace via nsenter
 exec.Command("nsenter", "-t", fmt.Sprintf("%d", pid), "-n", "--",
-    "/sbin/iptables-legacy", "-t", "nat", "-I", "PREROUTING", ...)
+    "/usr/sbin/iptables-legacy", "-t", "nat", "-I", "PREROUTING", ...)
 ```
 
 - `-t <pid>` — target the container's PID

network-go/iptables/iptables.go

@@ -69,9 +69,9 @@ func (m *Manager) run(args ...string) error {
 
 // runInContainer executes an iptables command inside a container's network namespace via nsenter
 func (m *Manager) runInContainer(pid int, table string, args ...string) error {
-	iptPath := "/sbin/iptables-legacy"
+	iptPath := "/usr/sbin/iptables-legacy"
 	if !strings.Contains(m.binary, "legacy") {
-		iptPath = "/sbin/iptables"
+		iptPath = "/usr/sbin/iptables"
 	}
 
 	fullArgs := []string{"-t", fmt.Sprintf("%d", pid), "-n", "--", iptPath}
@@ -177,9 +177,9 @@ func (m *Manager) deleteMatchingLines(chain, table string, grepPatterns ...strin
 
 // deleteMatchingLinesInContainer deletes matching lines inside a container namespace
 func (m *Manager) deleteMatchingLinesInContainer(pid int, table, chain string, grepPatterns ...string) error {
-	iptPath := "/sbin/iptables-legacy"
+	iptPath := "/usr/sbin/iptables-legacy"
 	if !strings.Contains(m.binary, "legacy") {
-		iptPath = "/sbin/iptables"
+		iptPath = "/usr/sbin/iptables"
 	}
 
 	nsenterArgs := []string{"-t", fmt.Sprintf("%d", pid), "-n", "--", iptPath, "-w", "--line-number", "-n", "-t", table, "-L", chain}