Fixed firewall (iptables) and added ip6tables for ipv6
This commit is contained in:
Quentin McGaw
@@ -6,7 +6,7 @@ LABEL maintainer="quentin.mcgaw@gmail.com" \
|
|||||||
ram="11MB" \
|
ram="11MB" \
|
||||||
cpu_usage="Low" \
|
cpu_usage="Low" \
|
||||||
github="https://github.com/qdm12/private-internet-access-docker"
|
github="https://github.com/qdm12/private-internet-access-docker"
|
||||||
RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables && \
|
RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables ip6tables && \
|
||||||
apk add -q --progress --no-cache --update --virtual=build-dependencies unzip && \
|
apk add -q --progress --no-cache --update --virtual=build-dependencies unzip && \
|
||||||
mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \
|
mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \
|
||||||
wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
|
wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
|
||||||
|
|||||||
@@ -26,28 +26,39 @@ done
|
|||||||
printf "\n * Deleting all iptables rules..."
|
printf "\n * Deleting all iptables rules..."
|
||||||
iptables --flush
|
iptables --flush
|
||||||
iptables --delete-chain
|
iptables --delete-chain
|
||||||
iptables -t nat --flush
|
ip6tables --flush
|
||||||
iptables -t nat --delete-chain
|
ip6tables --delete-chain
|
||||||
iptables -P OUTPUT DROP
|
|
||||||
printf "DONE"
|
printf "DONE"
|
||||||
|
iptables -F OUTPUT
|
||||||
|
iptables -P OUTPUT DROP
|
||||||
|
ip6tables -F OUTPUT 2>/dev/null
|
||||||
|
ip6tables -P OUTPUT DROP 2>/dev/null
|
||||||
printf "\n * Adding rules to accept local loopback traffic..."
|
printf "\n * Adding rules to accept local loopback traffic..."
|
||||||
iptables -A INPUT -j ACCEPT -i lo
|
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
iptables -A OUTPUT -j ACCEPT -o lo
|
iptables -A OUTPUT -o lo -j ACCEPT
|
||||||
|
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
|
||||||
|
ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null
|
||||||
printf "DONE"
|
printf "DONE"
|
||||||
printf "\n * Adding rules to accept traffic of subnet $SUBNET..."
|
printf "\n * Adding rules to accept traffic of subnet $SUBNET..."
|
||||||
#iptables -A INPUT --src $SUBNET -j ACCEPT -i eth0
|
iptables -A OUTPUT -d $SUBNET -j ACCEPT
|
||||||
iptables -A OUTPUT -d $SUBNET -j ACCEPT -o eth0
|
ip6tables -A OUTPUT -d $SUBNET -j ACCEPT 2>/dev/null
|
||||||
printf "DONE"
|
printf "DONE"
|
||||||
for ip in $VPNIPS
|
for ip in $VPNIPS
|
||||||
do
|
do
|
||||||
printf "\n * Adding rules to accept traffic with $ip on port $PROTOCOL $PORT..."
|
printf "\n * Adding rules to accept traffic with $ip on port $PROTOCOL $PORT..."
|
||||||
iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT
|
iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT
|
||||||
iptables -A INPUT -j ACCEPT -s $ip -i eth0 -p $PROTOCOL -m $PROTOCOL --sport $PORT
|
ip6tables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT 2>/dev/null
|
||||||
printf "DONE"
|
printf "DONE"
|
||||||
done
|
done
|
||||||
printf "\n * Adding rules to accept traffic going through the tun device..."
|
printf "\n * Adding rules to accept traffic going through the tun device..."
|
||||||
iptables -A INPUT -j ACCEPT -i tun0
|
iptables -A OUTPUT -o tun0 -j ACCEPT
|
||||||
iptables -A OUTPUT -j ACCEPT -o tun0
|
iptables -A OUTPUT -o tap0 -j ACCEPT
|
||||||
|
ip6tables -A OUTPUT -o tap0 -j ACCEPT 2>/dev/null
|
||||||
|
ip6tables -A OUTPUT -o tun0 -j ACCEPT 2>/dev/null
|
||||||
|
printf "DONE"
|
||||||
|
printf "\n * Allowing outgoing DNS queries on port 53 UDP..."
|
||||||
|
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
|
||||||
|
ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
|
||||||
printf "DONE"
|
printf "DONE"
|
||||||
printf "\n * Starting OpenVPN using the following parameters:"
|
printf "\n * Starting OpenVPN using the following parameters:"
|
||||||
printf "\n * Domain: $PIADOMAIN"
|
printf "\n * Domain: $PIADOMAIN"
|
||||||
|
|||||||
Reference in New Issue
Block a user