bea/docker-deluge-openvpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #559 from sillyfrog/master

Browse Source 
Option to disable iptable REJECT target
This commit is contained in:
Kristian Haugene
2018-08-06 14:54:20 +02:00
committed by GitHub
parent 28ec82d3f9 f2a1899649
commit 464ae88340
6 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
DockerEnv
View File

@@ -8,6 +8,7 @@
#ENABLE_UFW=false #ENABLE_UFW=false
#UFW_ALLOW_GW_NET=false #UFW_ALLOW_GW_NET=false
#UFW_EXTRA_PORTS= #UFW_EXTRA_PORTS=
#UFW_DISABLE_IPTABLES_REJECT=false
#GLOBAL_APPLY_PERMISSIONS=true #GLOBAL_APPLY_PERMISSIONS=true
#TRANSMISSION_ALT_SPEED_DOWN=50 #TRANSMISSION_ALT_SPEED_DOWN=50
#TRANSMISSION_ALT_SPEED_ENABLED=false #TRANSMISSION_ALT_SPEED_ENABLED=false

1
Dockerfile
View File

@@ -118,6 +118,7 @@ ENV OPENVPN_USERNAME=**None** \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \ UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
UFW_DISABLE_IPTABLES_REJECT=false \
TRANSMISSION_WEB_UI= \ TRANSMISSION_WEB_UI= \
PUID= \ PUID= \
PGID= \ PGID= \

1
Dockerfile.alpine
View File

@@ -108,6 +108,7 @@ ENV OPENVPN_USERNAME=**None** \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \ UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
UFW_DISABLE_IPTABLES_REJECT=false \
TRANSMISSION_WEB_UI= \ TRANSMISSION_WEB_UI= \
PUID= \ PUID= \
PGID= \ PGID= \

1
Dockerfile.armhf
View File

@@ -111,6 +111,7 @@ ENV OPENVPN_USERNAME=**None** \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \ UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
UFW_DISABLE_IPTABLES_REJECT=false \
TRANSMISSION_WEB_UI=\ TRANSMISSION_WEB_UI=\
PUID=\ PUID=\
PGID=\ PGID=\

1
README.md
View File

@@ -152,6 +152,7 @@ If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to t
|`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`| |`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`|
|`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`| |`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`|
|`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`| |`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`|
|`UFW_DISABLE_IPTABLES_REJECT` | Prevents the use of `REJECT` in the `iptables` rules, for hosts without the `ipt_REJECT` module (such as the Synology NAS). | `UFW_DISABLE_IPTABLES_REJECT=true`|
### Permission configuration options ### Permission configuration options
By default the startup script applies a default set of permissions and ownership on the transmission download, watch and incomplete directories. The GLOBAL_APPLY_PERMISSIONS directive can be used to disable this functionality. By default the startup script applies a default set of permissions and ownership on the transmission download, watch and incomplete directories. The GLOBAL_APPLY_PERMISSIONS directive can be used to disable this functionality.

9
openvpn/start.sh
View File

@@ -101,9 +101,18 @@ function ufwAllowPortLong {
} }
if [[ "${ENABLE_UFW,,}" == "true" ]]; then if [[ "${ENABLE_UFW,,}" == "true" ]]; then
if [[ "${UFW_DISABLE_IPTABLES_REJECT,,}" == "true" ]]; then
# A horrible hack to ufw to prevent it detecting the ability to limit and REJECT traffic
sed -i 's/return caps/return []/g' /usr/lib/python3/dist-packages/ufw/util.py
# force a rewrite on the enable below
echo "Disable and blank firewall"
ufw disable
echo "" > /etc/ufw/user.rules
fi
# Enable firewall # Enable firewall
echo "enabling firewall" echo "enabling firewall"
sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
sed -i -e s/MANAGE_BUILTINS=no/MANAGE_BUILTINS=yes/ /etc/default/ufw
ufw enable ufw enable
if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then