Merge pull request #559 from sillyfrog/master

Option to disable iptable REJECT target
haugene · Aug 6, 2018 · 464ae88 · 464ae88
2 parents 28ec82d + f2a1899
commit 464ae88
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 0 deletions.
diff --git a/DockerEnv b/DockerEnv
@@ -8,6 +8,7 @@
 #ENABLE_UFW=false
 #UFW_ALLOW_GW_NET=false
 #UFW_EXTRA_PORTS=
+#UFW_DISABLE_IPTABLES_REJECT=false
 #GLOBAL_APPLY_PERMISSIONS=true
 #TRANSMISSION_ALT_SPEED_DOWN=50
 #TRANSMISSION_ALT_SPEED_ENABLED=false

diff --git a/Dockerfile b/Dockerfile
@@ -118,6 +118,7 @@ ENV OPENVPN_USERNAME=**None** \
     ENABLE_UFW=false \
     UFW_ALLOW_GW_NET=false \
     UFW_EXTRA_PORTS= \
+    UFW_DISABLE_IPTABLES_REJECT=false \
     TRANSMISSION_WEB_UI= \
     PUID= \
     PGID= \

diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -108,6 +108,7 @@ ENV OPENVPN_USERNAME=**None** \
     ENABLE_UFW=false \
     UFW_ALLOW_GW_NET=false \
     UFW_EXTRA_PORTS= \
+    UFW_DISABLE_IPTABLES_REJECT=false \
     TRANSMISSION_WEB_UI= \
     PUID= \
     PGID= \

diff --git a/Dockerfile.armhf b/Dockerfile.armhf
@@ -111,6 +111,7 @@ ENV OPENVPN_USERNAME=**None** \
     ENABLE_UFW=false \
     UFW_ALLOW_GW_NET=false \
     UFW_EXTRA_PORTS= \
+    UFW_DISABLE_IPTABLES_REJECT=false \
     TRANSMISSION_WEB_UI=\
     PUID=\
     PGID=\

diff --git a/README.md b/README.md
@@ -152,6 +152,7 @@ If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to t
 |`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`|
 |`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`|
 |`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`|
+|`UFW_DISABLE_IPTABLES_REJECT` | Prevents the use of `REJECT` in the `iptables` rules, for hosts without the `ipt_REJECT` module (such as the Synology NAS). | `UFW_DISABLE_IPTABLES_REJECT=true`|
 
 ### Permission configuration options
 By default the startup script applies a default set of permissions and ownership on the transmission download, watch and incomplete directories. The GLOBAL_APPLY_PERMISSIONS directive can be used to disable this functionality.

diff --git a/openvpn/start.sh b/openvpn/start.sh
@@ -101,9 +101,18 @@ function ufwAllowPortLong {
 }
 
 if [[ "${ENABLE_UFW,,}" == "true" ]]; then
+  if [[ "${UFW_DISABLE_IPTABLES_REJECT,,}" == "true" ]]; then
+    # A horrible hack to ufw to prevent it detecting the ability to limit and REJECT traffic
+    sed -i 's/return caps/return []/g' /usr/lib/python3/dist-packages/ufw/util.py
+    # force a rewrite on the enable below
+    echo "Disable and blank firewall"
+    ufw disable
+    echo "" > /etc/ufw/user.rules
+  fi
   # Enable firewall
   echo "enabling firewall"
   sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
+  sed -i -e s/MANAGE_BUILTINS=no/MANAGE_BUILTINS=yes/ /etc/default/ufw
   ufw enable
 
   if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then