From cec73f96dd6aba4a710fb7762b15d92a683d43e8 Mon Sep 17 00:00:00 2001 From: Sillyfrog Date: Tue, 17 Jul 2018 17:00:29 +1000 Subject: [PATCH] Option to disable iptable REJECT target New UFW_DISABLE_IPTABLES_REJECT option that hacks ufw to allow the prevention of the use of the REJECT iptables target, as this is not available on some NAS platforms (such as the Synology). --- DockerEnv | 1 + Dockerfile | 1 + Dockerfile.alpine | 1 + Dockerfile.armhf | 1 + README.md | 1 + openvpn/start.sh | 9 +++++++++ 6 files changed, 14 insertions(+) diff --git a/DockerEnv b/DockerEnv index 19d7f937c..256d4f21e 100644 --- a/DockerEnv +++ b/DockerEnv @@ -8,6 +8,7 @@ #ENABLE_UFW=false #UFW_ALLOW_GW_NET=false #UFW_EXTRA_PORTS= +#UFW_DISABLE_IPTABLES_REJECT=false #TRANSMISSION_ALT_SPEED_DOWN=50 #TRANSMISSION_ALT_SPEED_ENABLED=false #TRANSMISSION_ALT_SPEED_TIME_BEGIN=540 diff --git a/Dockerfile b/Dockerfile index e0191f392..1d591c555 100644 --- a/Dockerfile +++ b/Dockerfile @@ -116,6 +116,7 @@ ENV OPENVPN_USERNAME=**None** \ ENABLE_UFW=false \ UFW_ALLOW_GW_NET=false \ UFW_EXTRA_PORTS= \ + UFW_DISABLE_IPTABLES_REJECT=false \ TRANSMISSION_WEB_UI= \ PUID= \ PGID= \ diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 38b85df09..080338b60 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -106,6 +106,7 @@ ENV OPENVPN_USERNAME=**None** \ ENABLE_UFW=false \ UFW_ALLOW_GW_NET=false \ UFW_EXTRA_PORTS= \ + UFW_DISABLE_IPTABLES_REJECT=false \ TRANSMISSION_WEB_UI= \ PUID= \ PGID= \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 9555adabb..6182b97c8 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -109,6 +109,7 @@ ENV OPENVPN_USERNAME=**None** \ ENABLE_UFW=false \ UFW_ALLOW_GW_NET=false \ UFW_EXTRA_PORTS= \ + UFW_DISABLE_IPTABLES_REJECT=false \ TRANSMISSION_WEB_UI=\ PUID=\ PGID=\ diff --git a/README.md b/README.md index abbb3dea2..e94e38553 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,7 @@ If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to t |`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`| |`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`| |`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respsects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`| +|`UFW_DISABLE_IPTABLES_REJECT` | Prevents the use of `REJECT` in the `iptables` rules, for hosts without the `ipt_REJECT` module (such as the Synology NAS). | `UFW_DISABLE_IPTABLES_REJECT=true`| ### Alternative web UIs You can override the default web UI by setting the ```TRANSMISSION_WEB_HOME``` environment variable. If set, Transmission will look there for the Web Interface files, such as the javascript, html, and graphics files. diff --git a/openvpn/start.sh b/openvpn/start.sh index 6c8c6786b..cf07b402c 100755 --- a/openvpn/start.sh +++ b/openvpn/start.sh @@ -92,9 +92,18 @@ function ufwAllowPortLong { } if [[ "${ENABLE_UFW,,}" == "true" ]]; then + if [[ "${UFW_DISABLE_IPTABLES_REJECT,,}" == "true" ]]; then + # A horrible hack to ufw to prevent it detecting the ability to limit and REJECT traffic + sed -i 's/return caps/return []/g' /usr/lib/python3/dist-packages/ufw/util.py + # force a rewrite on the enable below + echo "Disable and blank firewall" + ufw disable + echo "" > /etc/ufw/user.rules + fi # Enable firewall echo "enabling firewall" sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw + sed -i -e s/MANAGE_BUILTINS=no/MANAGE_BUILTINS=yes/ /etc/default/ufw ufw enable if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then