bea/docker-deluge-openvpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added firewall support

Browse Source
This commit is contained in:
Magnus Ullberg
2017-04-06 13:14:19 -04:00
parent 77756be6cb
commit 5df12b5b17
6 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
DockerEnv
View File

@@ -4,6 +4,7 @@
#OPENVPN_USERNAME= #OPENVPN_USERNAME=
#OPENVPN_PASSWORD= #OPENVPN_PASSWORD=
#LOCAL_NETWORK= #LOCAL_NETWORK=
#ENABLE_UFW=false
#TRANSMISSION_ALT_SPEED_DOWN=50 #TRANSMISSION_ALT_SPEED_DOWN=50
#TRANSMISSION_ALT_SPEED_ENABLED=false #TRANSMISSION_ALT_SPEED_ENABLED=false
#TRANSMISSION_ALT_SPEED_TIME_BEGIN=540 #TRANSMISSION_ALT_SPEED_TIME_BEGIN=540
@@ -75,4 +76,4 @@
#TRANSMISSION_UTP_ENABLED=true #TRANSMISSION_UTP_ENABLED=true
#TRANSMISSION_WATCH_DIR=/data/watch #TRANSMISSION_WATCH_DIR=/data/watch
#TRANSMISSION_WATCH_DIR_ENABLED=true #TRANSMISSION_WATCH_DIR_ENABLED=true
#TRANSMISSION_HOME=/data/transmission-home #TRANSMISSION_HOME=/data/transmission-home

3
Dockerfile
View File

@@ -10,7 +10,7 @@ VOLUME /config
# Update packages and install software # Update packages and install software
RUN apt-get update \ RUN apt-get update \
&& apt-get -y install software-properties-common \ && apt-get -y install software-properties-common ufw \
&& add-apt-repository multiverse \ && add-apt-repository multiverse \
&& add-apt-repository ppa:transmissionbt/ppa \ && add-apt-repository ppa:transmissionbt/ppa \
&& apt-get update \ && apt-get update \
@@ -103,6 +103,7 @@ ENV OPENVPN_USERNAME=**None** \
"TRANSMISSION_WATCH_DIR=/data/watch" \ "TRANSMISSION_WATCH_DIR=/data/watch" \
"TRANSMISSION_WATCH_DIR_ENABLED=true" \ "TRANSMISSION_WATCH_DIR_ENABLED=true" \
"TRANSMISSION_HOME=/data/transmission-home" \ "TRANSMISSION_HOME=/data/transmission-home" \
"ENABLE_UFW=false" \
PUID=\ PUID=\
PGID= PGID=

3
Dockerfile.armhf
View File

@@ -11,7 +11,7 @@ VOLUME /config
# Update packages and install software # Update packages and install software
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y transmission-cli transmission-common transmission-daemon \ && apt-get install -y transmission-cli transmission-common transmission-daemon \
&& apt-get install -y openvpn curl \ && apt-get install -y openvpn curl ufw \
&& curl -sLO https://archive.raspbian.org/raspbian/pool/main/d/dumb-init/dumb-init_1.0.3-1_armhf.deb \ && curl -sLO https://archive.raspbian.org/raspbian/pool/main/d/dumb-init/dumb-init_1.0.3-1_armhf.deb \
&& dpkg -i dumb-init_*.deb \ && dpkg -i dumb-init_*.deb \
&& rm -rf dumb-init_*.deb \ && rm -rf dumb-init_*.deb \
@@ -100,6 +100,7 @@ ENV OPENVPN_USERNAME=**None** \
"TRANSMISSION_WATCH_DIR=/data/watch" \ "TRANSMISSION_WATCH_DIR=/data/watch" \
"TRANSMISSION_WATCH_DIR_ENABLED=true" \ "TRANSMISSION_WATCH_DIR_ENABLED=true" \
"TRANSMISSION_HOME=/data/transmission-home" \ "TRANSMISSION_HOME=/data/transmission-home" \
"ENABLE_UFW=false" \
PUID=\ PUID=\
PGID= PGID=

9
README.md
View File

@@ -78,6 +78,15 @@ By default a folder named transmission-home will also be created under /data, th
|`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) | |`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) |
|`LOCAL_NETWORK` | Sets the local network that should have access. | `LOCAL_NETWORK=192.168.0.0/24`| |`LOCAL_NETWORK` | Sets the local network that should have access. | `LOCAL_NETWORK=192.168.0.0/24`|
### Firewall configuration options
When enabled, the firewall blocks everything except traffic to the peer port and traffic to the rpc port from the LOCAL_NETWORK and the internal docker gateway.
If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to the range of peer ports defined by TRANSMISSION_PEER_PORT_RANDOM_HIGH and TRANSMISSION_PEER_PORT_RANDOM_LOW.
| Variable | Function | Example |
|----------|----------|-------|
|`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`|
### Transmission configuration options ### Transmission configuration options
You may override transmission options by setting the appropriate environment variable. You may override transmission options by setting the appropriate environment variable.

24
openvpn/start.sh
View File

@@ -46,11 +46,35 @@ dockerize -template /etc/transmission/environment-variables.tmpl:/etc/transmissi
TRANSMISSION_CONTROL_OPTS="--script-security 2 --up /etc/transmission/start.sh --down /etc/transmission/stop.sh" TRANSMISSION_CONTROL_OPTS="--script-security 2 --up /etc/transmission/start.sh --down /etc/transmission/stop.sh"
if [ "true" = "$ENABLE_UFW" ]; then
# Enable firewall
echo "enabling firewall"
sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
ufw enable
if [ "true" = "$TRANSMISSION_PEER_PORT_RANDOM_ON_START" ]; then
PEER_PORT="$TRANSMISSION_PEER_PORT_RANDOM_LOW:$TRANSMISSION_PEER_PORT_RANDOM_HIGH/tcp"
else
PEER_PORT=$TRANSMISSION_PEER_PORT
fi
echo "allowing $PEER_PORT through the firewall"
ufw allow $PEER_PORT
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
echo "allowing access to $TRANSMISSION_RPC_PORT from $GW"
ufw allow proto tcp from $GW to any port $TRANSMISSION_RPC_PORT
fi
if [ -n "${LOCAL_NETWORK-}" ]; then if [ -n "${LOCAL_NETWORK-}" ]; then
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}') eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
if [ -n "${GW-}" -a -n "${INT-}" ]; then if [ -n "${GW-}" -a -n "${INT-}" ]; then
echo "adding route to local network $LOCAL_NETWORK via $GW dev $INT" echo "adding route to local network $LOCAL_NETWORK via $GW dev $INT"
/sbin/ip r a "$LOCAL_NETWORK" via "$GW" dev "$INT" /sbin/ip r a "$LOCAL_NETWORK" via "$GW" dev "$INT"
if [ "true" = "$ENABLE_UFW" ]; then
echo "allowing access to $TRANSMISSION_RPC_PORT from $LOCAL_NETWORK"
ufw allow proto tcp from $LOCAL_NETWORK to any port $TRANSMISSION_RPC_PORT
fi
fi fi
fi fi

2
transmission/environment-variables.tmpl
View File

@@ -75,5 +75,7 @@ export TRANSMISSION_WATCH_DIR_ENABLED={{ .Env.TRANSMISSION_WATCH_DIR_ENABLED }}
# Transmission needs to know which VPN provider is used # Transmission needs to know which VPN provider is used
export OPENVPN_PROVIDER={{ .Env.OPENVPN_PROVIDER }} export OPENVPN_PROVIDER={{ .Env.OPENVPN_PROVIDER }}
export ENABLE_UFW={{ .Env.ENABLE_UFW }}
export PUID={{ .Env.PUID }} export PUID={{ .Env.PUID }}
export PGID={{ .Env.PGID }} export PGID={{ .Env.PGID }}