diff --git a/DockerEnv b/DockerEnv index 24d4d6769..2509f714e 100644 --- a/DockerEnv +++ b/DockerEnv @@ -8,6 +8,7 @@ #ENABLE_UFW=false #UFW_ALLOW_GW_NET=false #UFW_EXTRA_PORTS= +#UFW_DISABLE_IPTABLES_REJECT=false #GLOBAL_APPLY_PERMISSIONS=true #TRANSMISSION_ALT_SPEED_DOWN=50 #TRANSMISSION_ALT_SPEED_ENABLED=false diff --git a/Dockerfile b/Dockerfile index b198da2b4..5a67645a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -118,6 +118,7 @@ ENV OPENVPN_USERNAME=**None** \ ENABLE_UFW=false \ UFW_ALLOW_GW_NET=false \ UFW_EXTRA_PORTS= \ + UFW_DISABLE_IPTABLES_REJECT=false \ TRANSMISSION_WEB_UI= \ PUID= \ PGID= \ diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 01d415a71..8df898a8c 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -108,6 +108,7 @@ ENV OPENVPN_USERNAME=**None** \ ENABLE_UFW=false \ UFW_ALLOW_GW_NET=false \ UFW_EXTRA_PORTS= \ + UFW_DISABLE_IPTABLES_REJECT=false \ TRANSMISSION_WEB_UI= \ PUID= \ PGID= \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 6e1bc0579..084c56cb4 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -111,6 +111,7 @@ ENV OPENVPN_USERNAME=**None** \ ENABLE_UFW=false \ UFW_ALLOW_GW_NET=false \ UFW_EXTRA_PORTS= \ + UFW_DISABLE_IPTABLES_REJECT=false \ TRANSMISSION_WEB_UI=\ PUID=\ PGID=\ diff --git a/README.md b/README.md index e21574ccf..2892a9ff4 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,7 @@ If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to t |`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`| |`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`| |`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`| +|`UFW_DISABLE_IPTABLES_REJECT` | Prevents the use of `REJECT` in the `iptables` rules, for hosts without the `ipt_REJECT` module (such as the Synology NAS). | `UFW_DISABLE_IPTABLES_REJECT=true`| ### Permission configuration options By default the startup script applies a default set of permissions and ownership on the transmission download, watch and incomplete directories. The GLOBAL_APPLY_PERMISSIONS directive can be used to disable this functionality. diff --git a/openvpn/start.sh b/openvpn/start.sh index 7f5370ee9..e62a30a7d 100755 --- a/openvpn/start.sh +++ b/openvpn/start.sh @@ -101,9 +101,18 @@ function ufwAllowPortLong { } if [[ "${ENABLE_UFW,,}" == "true" ]]; then + if [[ "${UFW_DISABLE_IPTABLES_REJECT,,}" == "true" ]]; then + # A horrible hack to ufw to prevent it detecting the ability to limit and REJECT traffic + sed -i 's/return caps/return []/g' /usr/lib/python3/dist-packages/ufw/util.py + # force a rewrite on the enable below + echo "Disable and blank firewall" + ufw disable + echo "" > /etc/ufw/user.rules + fi # Enable firewall echo "enabling firewall" sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw + sed -i -e s/MANAGE_BUILTINS=no/MANAGE_BUILTINS=yes/ /etc/default/ufw ufw enable if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then