update to 3.12.1

bubuntux · Nov 19, 2021 · bce88f3 · bce88f3
1 parent 00c053e
commit bce88f3
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 32 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,18 @@
 FROM s6on/ubuntu:20.04
 LABEL maintainer="Julio Gutierrez [email protected]"
 
-ARG NORDVPN_VERSION=3.12.0-1
+ARG NORDVPN_VERSION=3.12.1-1
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt update -y && \
-    apt install -y curl iputils-ping wireguard && \
+RUN apt-get update -y && \
+    apt-get install -y curl iputils-ping wireguard && \
     curl https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb --output /tmp/nordrepo.deb && \
-    apt install -y /tmp/nordrepo.deb && \
-    apt update -y && \
-    apt install -y nordvpn${NORDVPN_VERSION:+=$NORDVPN_VERSION} && \
-    apt remove -y nordvpn-release && \
-    apt autoremove -y && \
-    apt autoclean -y && \
+    apt-get install -y /tmp/nordrepo.deb && \
+    apt-get update -y && \
+    apt-get install -y nordvpn${NORDVPN_VERSION:+=$NORDVPN_VERSION} && \
+    apt-get remove -y nordvpn-release && \
+    apt-get autoremove -y && \
+    apt-get autoclean -y && \
     rm -rf \
 		/tmp/* \
 		/var/cache/apt/archives/* \

diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet
@@ -13,24 +13,24 @@ iptables -X
 
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
-iptables -A INPUT -s "${docker_networks}" -j ACCEPT
+iptables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT
 
 iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
-iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT
 iptables -A OUTPUT -o tap+ -j ACCEPT
 iptables -A OUTPUT -o tun+ -j ACCEPT
 iptables -A OUTPUT -o nordlynx+ -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
-iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
-iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+iptables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT
+iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
+iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 1194 -j ACCEPT
+iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
+iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
 
 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i lo -j ACCEPT
-iptables -A FORWARD -d "${docker_networks}" -j ACCEPT
-iptables -A FORWARD -s "${docker_networks}" -j ACCEPT
+iptables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT
+iptables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT
 
 iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
 iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6
@@ -13,24 +13,24 @@ ip6tables -X
 
 ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A INPUT -i lo -j ACCEPT
-ip6tables -A INPUT -s "${docker_networks}" -j ACCEPT
+ip6tables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT
 
 ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT
-ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT
 ip6tables -A OUTPUT -o tap+ -j ACCEPT
 ip6tables -A OUTPUT -o tun+ -j ACCEPT
 ip6tables -A OUTPUT -o nordlynx+ -j ACCEPT
-ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
-ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
-ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+ip6tables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT
+ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
+ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
+ip6tables -A OUTPUT -o eth0 -p tcp -m tcp --dport 1194 -j ACCEPT
+ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
+ip6tables -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
 
 ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A FORWARD -i lo -j ACCEPT
-ip6tables -A FORWARD -d "${docker_networks}" -j ACCEPT
-ip6tables -A FORWARD -s "${docker_networks}" -j ACCEPT
+ip6tables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT
+ip6tables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT
 
 ip6tables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
 ip6tables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route
@@ -5,8 +5,10 @@ if [ -n "$NET_LOCAL" ]; then
    gw="$(ip route | awk '/default/{print $3}')"
    for net in ${NET_LOCAL//[;,]/ }; do
       echo "Enabling connection to network ${net}"
-      iptables -A INPUT -i eth0 -s "$net" -j ACCEPT
-      iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT
       ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0
+      iptables -A INPUT   -i eth0 -s "$net" -j ACCEPT
+      iptables -A OUTPUT  -o eth0 -d "$net" -j ACCEPT
+      iptables -A FORWARD -i eth0 -d "$net" -j ACCEPT
+      iptables -A FORWARD -i eth0 -s "$net" -j ACCEPT
   done
 fi
diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6
@@ -5,8 +5,10 @@ if [ -n "$NET6_LOCAL" ]; then
    gw="$(ip -6 route | awk '/default/{print $3}')"
    for net in ${NET6_LOCAL//[;,]/ }; do
       echo "Enabling connection to network ${net}"
-      ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT
-      ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT
       ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0
+      ip6tables -A INPUT   -i eth0 -s "$net" -j ACCEPT
+      ip6tables -A OUTPUT  -o eth0 -d "$net" -j ACCEPT
+      ip6tables -A FORWARD -i eth0 -d "$net" -j ACCEPT
+      ip6tables -A FORWARD -i eth0 -s "$net" -j ACCEPT
   done
 fi
diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist
@@ -5,6 +5,7 @@ if [[ -n ${ALLOW_LIST} ]]; then
   for domain in ${ALLOW_LIST//[;,]/ }; do
     domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//')
     echo "Enabling connection to host ${domain}"
-    iptables  -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT
+    iptables  -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null
+    ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null
   done
 fi