diff --git a/Dockerfile b/Dockerfile index 52bf9db2a93..bd489ca0cd4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,18 @@ FROM s6on/ubuntu:20.04 LABEL maintainer="Julio Gutierrez julio.guti+nordvpn@pm.me" -ARG NORDVPN_VERSION=3.12.0-1 +ARG NORDVPN_VERSION=3.12.1-1 ARG DEBIAN_FRONTEND=noninteractive -RUN apt update -y && \ - apt install -y curl iputils-ping wireguard && \ +RUN apt-get update -y && \ + apt-get install -y curl iputils-ping wireguard && \ curl https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb --output /tmp/nordrepo.deb && \ - apt install -y /tmp/nordrepo.deb && \ - apt update -y && \ - apt install -y nordvpn${NORDVPN_VERSION:+=$NORDVPN_VERSION} && \ - apt remove -y nordvpn-release && \ - apt autoremove -y && \ - apt autoclean -y && \ + apt-get install -y /tmp/nordrepo.deb && \ + apt-get update -y && \ + apt-get install -y nordvpn${NORDVPN_VERSION:+=$NORDVPN_VERSION} && \ + apt-get remove -y nordvpn-release && \ + apt-get autoremove -y && \ + apt-get autoclean -y && \ rm -rf \ /tmp/* \ /var/cache/apt/archives/* \ diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet index 9a1ef071368..85fd6f9f228 100644 --- a/rootfs/etc/cont-init.d/20-inet +++ b/rootfs/etc/cont-init.d/20-inet @@ -13,24 +13,24 @@ iptables -X iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT -iptables -A INPUT -s "${docker_networks}" -j ACCEPT +iptables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT -iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT iptables -A OUTPUT -o tap+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A OUTPUT -o nordlynx+ -j ACCEPT -iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT -iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT -iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT +iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT +iptables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT +iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 1194 -j ACCEPT +iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT +iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -d "${docker_networks}" -j ACCEPT -iptables -A FORWARD -s "${docker_networks}" -j ACCEPT +iptables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT +iptables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6 index 6d222a81c35..3d9037c4cfa 100644 --- a/rootfs/etc/cont-init.d/20-inet6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -13,24 +13,24 @@ ip6tables -X ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT -ip6tables -A INPUT -s "${docker_networks}" -j ACCEPT +ip6tables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT -ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -o tap+ -j ACCEPT ip6tables -A OUTPUT -o tun+ -j ACCEPT ip6tables -A OUTPUT -o nordlynx+ -j ACCEPT -ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT -ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT -ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p tcp -m tcp --dport 1194 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT -ip6tables -A FORWARD -d "${docker_networks}" -j ACCEPT -ip6tables -A FORWARD -s "${docker_networks}" -j ACCEPT +ip6tables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT +ip6tables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT ip6tables -t nat -A POSTROUTING -o tap+ -j MASQUERADE ip6tables -t nat -A POSTROUTING -o tun+ -j MASQUERADE diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route index d72d30b7624..7785a8831d5 100644 --- a/rootfs/etc/cont-init.d/30-route +++ b/rootfs/etc/cont-init.d/30-route @@ -5,8 +5,10 @@ if [ -n "$NET_LOCAL" ]; then gw="$(ip route | awk '/default/{print $3}')" for net in ${NET_LOCAL//[;,]/ }; do echo "Enabling connection to network ${net}" - iptables -A INPUT -i eth0 -s "$net" -j ACCEPT - iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + iptables -A INPUT -i eth0 -s "$net" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + iptables -A FORWARD -i eth0 -d "$net" -j ACCEPT + iptables -A FORWARD -i eth0 -s "$net" -j ACCEPT done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6 index 25598efff60..e2207d07e45 100644 --- a/rootfs/etc/cont-init.d/30-route6 +++ b/rootfs/etc/cont-init.d/30-route6 @@ -5,8 +5,10 @@ if [ -n "$NET6_LOCAL" ]; then gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do echo "Enabling connection to network ${net}" - ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT - ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT + ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip6tables -A FORWARD -i eth0 -d "$net" -j ACCEPT + ip6tables -A FORWARD -i eth0 -s "$net" -j ACCEPT done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist index facbf764632..5a02cab5dd8 100644 --- a/rootfs/etc/cont-init.d/40-allowlist +++ b/rootfs/etc/cont-init.d/40-allowlist @@ -5,6 +5,7 @@ if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') echo "Enabling connection to host ${domain}" - iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null + ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null done fi \ No newline at end of file