asdf

seedbox/disable_iptables.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+iptables -F
+iptables -X
+iptables -P INPUT ACCEPT
+iptables -P OUTPUT ACCEPT
+iptables -P FORWARD ACCEPT
+
+exit 0

seedbox/fix.sh

@@ -0,0 +1,9 @@
+if ! [ -d /mnt/torrents/complete ] ; then
+	if mount -a ; then
+		rc-service wg-quick.wg0 restart
+		rc-service qbittorrent-nox restart
+	fi
+else
+	rc-service wg-quick.wg0 restart
+	rc-service qbittorrent-nox restart
+fi

seedbox/iptables-seedbox.sh

@@ -0,0 +1,67 @@
+#!/bin/sh -ex
+#
+# this is a "kill switch" for wireguard
+# block all traffic outside of the tunnel
+# --------------------------------------------------------------------
+
+# flush
+iptables -F
+
+# refuse all default
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
+# permit samba / NFS to truenas (192.168.100.143)
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED
+
+# permit qbittorrent-nox access on LAN subnet
+iptables -A INPUT -j ACCEPT -s 192.168.100.0/24 -p tcp --dport 8080 -m state --state NEW
+iptables -A OUTPUT -j ACCEPT -d 192.168.100.0/24 -p tcp --sport 8080 -m state --state ESTABLISHED
+
+# permit ssh on LAN subnet
+iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
+iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
+iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
+iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED
+
+# allow dns to pihole
+PIHOLE_IP=192.168.100.200
+iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p tcp --dport 53 -m state --state NEW
+iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p udp --dport 53 -m state --state NEW
+
+# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
+
+# permit outgoing wireguard traffic on 51820 to the mullvad server
+WIREGUARD_SERVER=38.240.225.36
+iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
+iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
+
+# permit any local traffic
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# ========== dont think we need tun on wireguard ===================
+#iptables -A INPUT -i tun+ -j ACCEPT
+#iptables -A OUTPUT -o tun+ -j ACCEPT
+# ========== dont think we need tun on wireguard ===================
+
+# permit replies to traffic sent out
+iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# save
+/etc/init.d/iptables save
+