From c23940fc6ff771d9d348c43aeda48bbc46af7aae Mon Sep 17 00:00:00 2001
From: wvr <mitch@wvr.sh>
Date: Fri, 13 Feb 2026 21:50:28 -0600
Subject: [PATCH] asdf

---
 seedbox/disable_iptables.sh |  9 +++++
 seedbox/fix.sh              |  9 +++++
 seedbox/iptables-seedbox.sh | 67 +++++++++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)
 create mode 100755 seedbox/disable_iptables.sh
 create mode 100755 seedbox/fix.sh
 create mode 100755 seedbox/iptables-seedbox.sh

diff --git a/seedbox/disable_iptables.sh b/seedbox/disable_iptables.sh
new file mode 100755
index 0000000..28fdfc0
--- /dev/null
+++ b/seedbox/disable_iptables.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+iptables -F
+iptables -X
+iptables -P INPUT ACCEPT
+iptables -P OUTPUT ACCEPT
+iptables -P FORWARD ACCEPT
+
+exit 0
diff --git a/seedbox/fix.sh b/seedbox/fix.sh
new file mode 100755
index 0000000..4e6361b
--- /dev/null
+++ b/seedbox/fix.sh
@@ -0,0 +1,9 @@
+if ! [ -d /mnt/torrents/complete ] ; then
+	if mount -a ; then
+		rc-service wg-quick.wg0 restart
+		rc-service qbittorrent-nox restart
+	fi
+else
+	rc-service wg-quick.wg0 restart
+	rc-service qbittorrent-nox restart
+fi
diff --git a/seedbox/iptables-seedbox.sh b/seedbox/iptables-seedbox.sh
new file mode 100755
index 0000000..fed3625
--- /dev/null
+++ b/seedbox/iptables-seedbox.sh
@@ -0,0 +1,67 @@
+#!/bin/sh -ex
+#
+# this is a "kill switch" for wireguard
+# block all traffic outside of the tunnel
+# --------------------------------------------------------------------
+
+# flush
+iptables -F
+
+# refuse all default
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
+# permit samba / NFS to truenas (192.168.100.143)
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED
+
+# permit qbittorrent-nox access on LAN subnet
+iptables -A INPUT -j ACCEPT -s 192.168.100.0/24 -p tcp --dport 8080 -m state --state NEW
+iptables -A OUTPUT -j ACCEPT -d 192.168.100.0/24 -p tcp --sport 8080 -m state --state ESTABLISHED
+
+# permit ssh on LAN subnet
+iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
+iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
+iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
+iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED
+
+# allow dns to pihole
+PIHOLE_IP=192.168.100.200
+iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p tcp --dport 53 -m state --state NEW
+iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p udp --dport 53 -m state --state NEW
+
+# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
+
+# permit outgoing wireguard traffic on 51820 to the mullvad server
+WIREGUARD_SERVER=38.240.225.36
+iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
+iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
+
+# permit any local traffic
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# ========== dont think we need tun on wireguard ===================
+#iptables -A INPUT -i tun+ -j ACCEPT
+#iptables -A OUTPUT -o tun+ -j ACCEPT
+# ========== dont think we need tun on wireguard ===================
+
+# permit replies to traffic sent out
+iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# save
+/etc/init.d/iptables save
+