diff --git a/README.md b/README.md index 0100a74..efebd91 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ docker run -d \ -e ENABLE_PRIVOXY= \ -e LAN_NETWORK=/ \ -e NAME_SERVERS= \ + -e ADDITIONAL_PORTS= \ -e DEBUG= \ -e WEBUI_PORT= \ -e UMASK= \ @@ -76,6 +77,7 @@ docker run -d \ -e ENABLE_PRIVOXY=yes \ -e LAN_NETWORK=192.168.1.0/24 \ -e NAME_SERVERS=209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1 \ + -e ADDITIONAL_PORTS=1234 \ -e DEBUG=false \ -e WEBUI_PORT=8080 \ -e UMASK=000 \ @@ -120,6 +122,7 @@ docker run -d \ -e ENABLE_PRIVOXY=yes \ -e LAN_NETWORK=192.168.1.0/24 \ -e NAME_SERVERS=209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1 \ + -e ADDITIONAL_PORTS=1234 \ -e DEBUG=false \ -e WEBUI_PORT=8080 \ -e UMASK=000 \ diff --git a/build/root/install.sh b/build/root/install.sh index e1496d1..601df6d 100644 --- a/build/root/install.sh +++ b/build/root/install.sh @@ -297,6 +297,13 @@ if [[ $VPN_ENABLED == "yes" ]]; then export ENABLE_PRIVOXY="no" fi + export ADDITIONAL_PORTS=$(echo "${ADDITIONAL_PORTS}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~') + if [[ ! -z "${ADDITIONAL_PORTS}" ]]; then + echo "[info] ADDITIONAL_PORTS defined as '${ADDITIONAL_PORTS}'" | ts '%Y-%m-%d %H:%M:%.S' + else + echo "[info] ADDITIONAL_PORTS not defined (via -e ADDITIONAL_PORTS), skipping allow for custom incoming ports" | ts '%Y-%m-%d %H:%M:%.S' + fi + fi export WEBUI_PORT=$(echo "${WEBUI_PORT}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~') diff --git a/run/root/iptable.sh b/run/root/iptable.sh index 6557236..9a2e593 100644 --- a/run/root/iptable.sh +++ b/run/root/iptable.sh @@ -92,6 +92,28 @@ iptables -A INPUT -i "${docker_interface}" -p $VPN_PROTOCOL --sport $VPN_PORT -j iptables -A INPUT -i "${docker_interface}" -p tcp --dport "${WEBUI_PORT}" -j ACCEPT iptables -A INPUT -i "${docker_interface}" -p tcp --sport "${WEBUI_PORT}" -j ACCEPT +# additional port list for scripts or container linking +if [[ ! -z "${ADDITIONAL_PORTS}" ]]; then + + # split comma separated string into list from ADDITIONAL_PORTS env variable + IFS=',' read -ra additional_port_list <<< "${ADDITIONAL_PORTS}" + + # process additional ports in the list + for additional_port_item in "${additional_port_list[@]}"; do + + # strip whitespace from start and end of additional_port_item + additional_port_item=$(echo "${additional_port_item}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~') + + echo "[info] Adding additional incoming port ${additional_port_item} for ${docker_interface}" + + # accept input to additional port for "${docker_interface}" + iptables -A INPUT -i "${docker_interface}" -p tcp --dport "${additional_port_item}" -j ACCEPT + iptables -A INPUT -i "${docker_interface}" -p tcp --sport "${additional_port_item}" -j ACCEPT + + done + +fi + # process lan networks in the list for lan_network_item in "${lan_network_list[@]}"; do @@ -154,6 +176,28 @@ fi iptables -A OUTPUT -o "${docker_interface}" -p tcp --dport "${WEBUI_PORT}" -j ACCEPT iptables -A OUTPUT -o "${docker_interface}" -p tcp --sport "${WEBUI_PORT}" -j ACCEPT +# additional port list for scripts or container linking +if [[ ! -z "${ADDITIONAL_PORTS}" ]]; then + + # split comma separated string into list from ADDITIONAL_PORTS env variable + IFS=',' read -ra additional_port_list <<< "${ADDITIONAL_PORTS}" + + # process additional ports in the list + for additional_port_item in "${additional_port_list[@]}"; do + + # strip whitespace from start and end of additional_port_item + additional_port_item=$(echo "${additional_port_item}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~') + + echo "[info] Adding additional outgoing port ${additional_port_item} for ${docker_interface}" + + # accept output to additional port for lan interface + iptables -A OUTPUT -o "${docker_interface}" -p tcp --dport "${additional_port_item}" -j ACCEPT + iptables -A OUTPUT -o "${docker_interface}" -p tcp --sport "${additional_port_item}" -j ACCEPT + + done + +fi + # process lan networks in the list for lan_network_item in "${lan_network_list[@]}"; do