Compare commits
No commits in common. "0521b17804bb146887b3e5277afe95c940b9fe71" and "0676a7f1a71b9c2b8637da2f01ad51cb330784d4" have entirely different histories.
0521b17804
...
0676a7f1a7
@ -4,11 +4,10 @@ services:
|
||||
i2p:
|
||||
image: geti2p/i2p
|
||||
container_name: i2p
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
# Automatically exposed locally: 4444-4445/tcp, 6668/tcp, 7654/tcp, 7656-7660/tcp
|
||||
- ${EXT_PORT}:${EXT_PORT}/tcp
|
||||
- ${EXT_PORT}:${EXT_PORT}/udp
|
||||
# Automatically exposed to localhost: 4444-4445/tcp, 6668/tcp, 7654/tcp, 7656-7660/tcp
|
||||
- ${EXT_PORT:?host port must be manually set}:12345/tcp
|
||||
- ${EXT_PORT:?host port must be manually set}:12345/udp
|
||||
volumes:
|
||||
- ${PWD}/i2pconfig:/i2p/.i2p:rw # Mandatory configs
|
||||
- ${PWD}/i2ptorrents:/i2psnark:rw # Torrenting support
|
||||
|
||||
65
iptables.sh
65
iptables.sh
@ -1,65 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Clears the old iptables rules and sets new ones to only allow SSH & I2NP traffic (+ ICMP pings)
|
||||
|
||||
|
||||
sudo apt update && sudo apt install iptables iptables-persistent -y
|
||||
|
||||
read -p "[?] Confirm the deletion of old iptables rules: " -n 1 -r
|
||||
! [[ "$REPLY" =~ ^[Yy]$ ]] && echo -e "\n[!] Aborting..." && exit 0
|
||||
|
||||
! [ -f ".env" ] && echo "[!] The .env file not found, aborting..." && exit 1
|
||||
|
||||
set -a
|
||||
source .env
|
||||
set +a
|
||||
|
||||
[ -z ${EXT_PORT} ] && echo "[!] EXT_PORT is not configured, aborting..." && exit 1
|
||||
|
||||
# Clear all old rules (IPv4)
|
||||
sudo iptables -P INPUT ACCEPT
|
||||
sudo iptables -P FORWARD ACCEPT
|
||||
sudo iptables -P OUTPUT ACCEPT
|
||||
sudo iptables -t nat -F
|
||||
sudo iptables -t mangle -F
|
||||
sudo iptables -F
|
||||
sudo iptables -X
|
||||
|
||||
# Clear all old rules (IPv6)
|
||||
sudo ip6tables -P INPUT ACCEPT
|
||||
sudo ip6tables -P FORWARD ACCEPT
|
||||
sudo ip6tables -P OUTPUT ACCEPT
|
||||
sudo ip6tables -t nat -F
|
||||
sudo ip6tables -t mangle -F
|
||||
sudo ip6tables -F
|
||||
sudo ip6tables -X
|
||||
|
||||
# Allow all incoming SSH traffic (tcp:22)
|
||||
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
sudo ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Allow all I2NP traffic (tcp:$EXT_PORT, udp:$EXT_PORT)
|
||||
# Not using `--state NEW,ESTABLISHED` guarantees that **all** incoming and outgoing traffic is let through
|
||||
sudo iptables -A INPUT -p tcp --dport $EXT_PORT -j ACCEPT
|
||||
sudo ip6tables -A INPUT -p tcp --dport $EXT_PORT -j ACCEPT
|
||||
sudo iptables -A INPUT -p udp --dport $EXT_PORT -j ACCEPT
|
||||
sudo ip6tables -A INPUT -p udp --dport $EXT_PORT -j ACCEPT
|
||||
|
||||
# Allow all incoming ICMP echo requests (pings)
|
||||
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Allow all ICMP traffic via IPv6 (ICMPv6 is essential for IPv6 to function)
|
||||
sudo ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
|
||||
|
||||
# Allow all related and established incoming traffic (i.e. allow responses to outgoing requests initiated by the local system)
|
||||
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Reject all other incoming traffic with DROP (DROP doesn't provide information about
|
||||
# the host configuration to potential attackers like REJECT would, which is why it's used)
|
||||
sudo iptables -A INPUT -j DROP
|
||||
sudo ip6tables -A INPUT -j DROP
|
||||
|
||||
# Persist changes
|
||||
sudo iptables-save | sudo tee /etc/iptables/rules.v4
|
||||
sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
|
||||
Loading…
Reference in New Issue
Block a user