Added no firewall modification option

Added no firewall modification option to be able to disable iptables alteration

Author: SloCompTech

CHANGELOG.md

@@ -1,11 +1,12 @@
 # Changelog
 
-### 1.0.5 - Bugfix, finish hook
+### 1.0.5 - Bugfix, finish hook, persistent interface, no firewall
 
 - Fixed bug when running hooks (#3)
 - Added **finish** hook (which runs just before container exit)
 - Added **persistent interface** option, so interface is persistently present on device (if using host networking mode) and firewall setup rules are executed **only once** (no ip tables mess) (#1)
 - Logging chaned to stdout, no more log file by default
+- Added **firewall disable** feature to disable all firewall related modifications
 
 ### 1.0.4 - IPv6 docs, improved wizards
 

README.md

@@ -70,7 +70,8 @@ services:
 |:-----------:|:----------:|
 |`-e PUID=1000`|for UserID - see below for explanation|
 |`-e PGID=1000`|for GroupID - see below for explanation|
-|`-o OVPN_PERINT=false`|Disable persistent TUN interface|
+|`-e OVPN_NFW=true`|Disable any firewall related rules to be created, modified ... (must be implemented in example)|
+|`-e OVPN_PERINT=false`|Disable persistent TUN interface|
 |`-v /config`|All the config files including OpenVPNs reside here|
 
 See also: [EasyRSA](https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md)  
@@ -147,7 +148,6 @@ For more infromation see:
 
 - [OpenVPN troubleshoot guide](https://community.openvpn.net/openvpn/wiki/HOWTO#Troubleshooting)  
 
-
 ## Contribute
 
 Feel free to contribute new features to this container, but first see [Contribute Guide](CONTRIBUTING.md).
@@ -159,7 +159,7 @@ Planed features:
 Wanted features (please help implement):
 
 - LDAP authentication script
-- Google authenticator 
+- Google authenticator
 
 ## Licenses
 
@@ -168,7 +168,6 @@ Wanted features (please help implement):
 - [Base image](https://github.com/linuxserver/docker-baseimage-alpine)  
 - [s6 Layer](https://github.com/just-containers/s6-overlay/blob/master/LICENSE.md)  
 
-
 ## Versions
 
 See [CHANGELOG](CHANGELOG.md)  

root/app/lib/settings

@@ -16,6 +16,18 @@ function intPersistant() {
     fi
 }
 
+#
+#   Checks if we use firewall rules
+#   @return 1 if yes, 0 if not
+#
+function useFW() {
+    if [ ! -n "$OVPN_NFW" ] || ([ "$OVPN_NFW" != "true" ] && [ "$OVPN_NFW" != "1" ]); then
+        return 1 # yes by default
+    else
+        return 0 # No
+    fi
+}
+
 #
 #   Checks if TUN interface exists already
 #   @return 0 if found, 1 if not found

root/defaults/example/README.md

@@ -35,6 +35,30 @@ config
         Readme.md # Info about example, what to configure
 ```
 
+### Hooks
+
+- start hook file with
+
+    ``` bash
+    #!/usr/bin/with-contenv bash
+
+    source /app/lib/settings
+    source /app/lib/utils
+    ```
+
+- if hooks call any **firewall** related commands add after above code and before any commands
+
+    ``` bash
+    # Check if firewall rules are disabled
+    useFW
+    if [ $? -eq 0 ]; then
+        # Don't use fw rules
+        exit 0
+    fi
+    ```
+
+- also check the examples how persistent interface is handled, so you don't create iptables mess (running init, up script once, never call down, finish)
+
 ### Notes
 
 - **DO NOT** use `dev` attribute, because it is set to static interface `tun0`.
@@ -50,7 +74,7 @@ User will call `ovpn_enconf CONFIG_NAME [wizard args]` to load your example in s
 
 Then there are two options:
 
-1. User manualy configure settigns in `/config/openvpn` folder
+1. User manualy configure settings in `/config/openvpn` folder
 2. Your **wizard** script, configures files which will be copied to `/config/openvpn`
     - Configuration files are copied to temporary location (so they can be modified)
     - `wizard` script will be called with temporary location as first argument `$1` (folder has same structure as in examples)

root/defaults/example/config/basic_nat/hooks/down/10-network.sh

@@ -3,6 +3,13 @@
 source /app/lib/settings
 source /app/lib/utils
 
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
 # Don't run if interface persistent
 intPersistant
 if [ $? -eq 1 ]; then

root/defaults/example/config/basic_nat/hooks/finish/10-network.sh

@@ -3,6 +3,13 @@
 source /app/lib/settings
 source /app/lib/utils
 
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
 # Don't run if interface persistent
 intPersistant
 if [ $? -eq 1 ]; then

root/defaults/example/config/basic_nat/hooks/init/10-network.sh

@@ -3,6 +3,13 @@
 source /app/lib/settings
 source /app/lib/utils
 
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
 # Run only once if interface persistent
 intPersistant
 if [ $? -eq 1 ]; then

root/defaults/example/config/basic_nat/hooks/up/10-network.sh

@@ -3,6 +3,13 @@
 source /app/lib/settings
 source /app/lib/utils
 
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
 # Run only once if interface persistent
 intPersistant
 if [ $? -eq 1 ]; then

root/defaults/example/config/basic_nat_wlp/hooks/down/10-network.sh

@@ -3,6 +3,13 @@
 source /app/lib/settings
 source /app/lib/utils
 
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
 # Don't run if interface persistent
 intPersistant
 if [ $? -eq 1 ]; then

root/defaults/example/config/basic_nat_wlp/hooks/finish/10-network.sh

@@ -3,6 +3,13 @@
 source /app/lib/settings
 source /app/lib/utils
 
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
 # Don't run if interface persistent
 intPersistant
 if [ $? -eq 1 ]; then