From a961f6494872cfb0fc0e3a8f7189bf5405ecf7fd Mon Sep 17 00:00:00 2001 From: Joe Roback Date: Sun, 16 Nov 2025 13:18:41 -0700 Subject: [PATCH] more kill switch fixes --- Dockerfile | 2 +- README.md | 2 +- entrypoint.sh | 55 +++++++++++++++++++++++++++++++++++---------------- 3 files changed, 40 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index e00c17b..3351378 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM alpine:3.22 -ENV LOCAL_SUBNETS="192.168.0.0/16" +ENV LOCAL_IPV4_SUBNETS="192.168.0.0/16" ENV TZ="UTC" ENV WEBUI_HOST="http://localhost:8080" ENV WIREGUARD_INTERFACE="wg0" diff --git a/README.md b/README.md index 699015a..5f6b6ab 100644 --- a/README.md +++ b/README.md @@ -16,5 +16,5 @@ Tools | -------- | ------- | ----- | ---------- | | `TZ` | `UTC` | `America/Denver` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight. | `WIREGUARD_INTERFACE` | `wg0` | `wg0`, `wg1`, ... | Set the wireguard interface name to use. -| `LOCAL_SUBNETS` | `192.168.0.0/16` | `192.168.0.0/16, 10.0.0.0/8` | Comma separated list of local subnet CIDRs to be allowed outside the wireguard tunnel. +| `LOCAL_IPV4_SUBNETS` | `192.168.0.0/16` | `192.168.0.0/16, 10.0.0.0/8` | Comma separated list of local subnet CIDRs to be allowed outside the wireguard tunnel. | `WEBUI_HOST` | `http://localhost:8080` | | Url to the qBittorrent Web UI. Authenication must be disabled to localhost connections. diff --git a/entrypoint.sh b/entrypoint.sh index d82d4c4..7312e50 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -34,31 +34,52 @@ shutdown () { trap shutdown SIGTERM SIGINT SIGQUIT wg show +WIREGUARD_FWMARK=$(wg show ${WIREGUARD_INTERFACE} fwmark) -# kill switches for ipv4 and ipv6 wg-quick(8) -iptables -I OUTPUT ! -o ${WIREGUARD_INTERFACE} -m mark ! --mark $(wg show ${WIREGUARD_INTERFACE} fwmark) -m addrtype ! --dst-type LOCAL -j REJECT -ip6tables -I OUTPUT ! -o ${WIREGUARD_INTERFACE} -m mark ! --mark $(wg show ${WIREGUARD_INTERFACE} fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - -# allow local container ipv4 subnets (especially helpful if using multiple networks) -for network in $(ip -o addr show | awk '/^(\d)+: eth(.+)inet / {print $4}'); do - iptables -I OUTPUT -d ${network} -j ACCEPT -done - -# allow connections user defined local ipv4 networks -for local_subnet in ${LOCAL_SUBNETS//,/$IFS} +# allow connections from container subnets +for container_subnet in $(ip -o addr show | awk '/^(\d)+: eth(.+)inet / {print $4}') do - echo "Adding local subnet ${local_subnet} via ${default_route_ip}" - ip route add ${local_subnet} via ${default_route_ip} - iptables -I OUTPUT -d ${local_subnet} -j ACCEPT + iptables -A INPUT -s ${container_subnet} -j ACCEPT + iptables -A OUTPUT -d ${container_subnet} -j ACCEPT done -sleep 2 +# allow connections to local subnets specified by user, need to add routes since wireguard interface has 0.0.0.0/0 allowed ips +for local_subnet in ${LOCAL_IPV4_SUBNETS//,/$IFS} +do + iptables -A INPUT -s ${local_subnet} -j ACCEPT + iptables -A OUTPUT -d ${local_subnet} -j ACCEPT + ip route add ${local_subnet} via ${default_route_ip} +done + +# established connections +iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# kill switches for ipv4 -- @see wg-quick(8) +iptables -A OUTPUT ! -o ${WIREGUARD_INTERFACE} -m mark ! --mark ${WIREGUARD_FWMARK} -m addrtype ! --dst-type LOCAL -j REJECT + +for container_subnet in $(ip -o addr show | awk '/^(\d)+: eth(.+)inet6 / {print $4}') +do + ip6tables -A INPUT -s ${container_subnet} -j ACCEPT + ip6tables -A OUTPUT -d ${container_subnet} -j ACCEPT +done + +# established connections +ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# kill switches for ipv6 -- @see wg-quick(8) +ip6tables -I OUTPUT ! -o ${WIREGUARD_INTERFACE} -m mark ! --mark ${WIREGUARD_FWMARK} -m addrtype ! --dst-type LOCAL -j REJECT + +sleep 8 & +wait ${!} # check to see if tunnel allows port forwarding natpmpc -g 10.2.0.1 # give some delay until qbittorrent container launches -sleep 10 +sleep 5 & +wait ${!} # qbittorrent webui host WEBUI_HOST="${WEBUI_HOST:-http://localhost:8080}" @@ -90,7 +111,7 @@ while true; do "${WEBUI_HOST}/api/v2/app/setPreferences" || true fi - sleep 45 & + sleep 30 & wait ${!} done