From de059f58ed2f447664c2870e874aa18e6b086a1c Mon Sep 17 00:00:00 2001 From: Aetherinox Date: Tue, 6 Aug 2024 12:54:50 -0700 Subject: [PATCH] docs: update README --- README.md | 80 ++++++++++++++++++++++++++++++++++++++---------- patch/docker.sh | 13 ++++---- patch/openvpn.sh | 2 +- 3 files changed, 72 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 774a494fd..c90dffd97 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,7 @@ ConfigServer Security & Firewall (CSF) is a popular and powerful firewall soluti - [Advanced Logs](#advanced-logs) - [Install OpenVPN Patch](#install-openvpn-patch) - [Install](#install) + - [Configure](#configure-1) - [Download ConfigServer Firewall](#download-configserver-firewall) - [References for More Help](#references-for-more-help) - [Contributors ✨](#contributors-) @@ -696,13 +697,12 @@ The `/patch/docker.sh` file has a few configs you can adjust. Open it in a text ```bash ignore DOCKER_INT="docker0" -NETWORK_MANUAL_MODE=false +NETWORK_MANUAL_MODE="false" NETWORK_ADAPT_NAME="traefik" -CSF_FILE_ALLOW='/etc/csf/csf.allow' -CSF_COMMENT='Docker container whitelist' -DEBUG_ENABLED=true - -lst_ips=( +CSF_FILE_ALLOW="/etc/csf/csf.allow" +CSF_COMMENT="Docker container whitelist" +DEBUG_ENABLED="false" +IP_CONTAINERS=( '172.17.0.0/16' ) ``` @@ -719,7 +719,7 @@ Each setting is defined below: | `CSF_FILE_ALLOW` |
Path to your `csf.allow` file

| | `CSF_COMMENT` |
comment added to each new whitelisted docker ip

| | `DEBUG_ENABLED` |
debugging / better logs

| -| `lst_ips` |
list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall

| +| `IP_CONTAINERS` |
list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall

|
@@ -777,10 +777,10 @@ You can also find out what version you are running by appending `--version` to e
-``` - ConfigServer Firewall Configuration - v2.0.0.0 - https://github.com/Aetherinox/csf-firewall - Ubuntu | 24.04 +```shell ignore +ConfigServer Firewall Configuration - v2.0.0.0 +https://github.com/Aetherinox/csf-firewall +Ubuntu | 24.04 ```
@@ -791,10 +791,10 @@ sudo /usr/local/include/csf/post.d/docker.sh --version
-``` - ConfigServer Firewall Docker Patch - v2.0.0.0 - https://github.com/Aetherinox/csf-firewall - Ubuntu | 24.04 +```shell ignore +ConfigServer Firewall Docker Patch - v2.0.0.0 +https://github.com/Aetherinox/csf-firewall +Ubuntu | 24.04 ```
@@ -808,7 +808,7 @@ sudo csf -r
All steps performed by the script will be displayed in terminal: -``` +```shell ignore + POSTROUTING Adding IPs from primary IP list + 172.17.0.0/16 + RULE: -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE @@ -852,6 +852,54 @@ sudo chmod +x /patch/openvpn.sh
+ +### Configure +The `/patch/openvpn.sh` file has a few configs you can adjust. Open it in a text editor and change the values to your preference. + +```bash ignore +ETH_ADAPTER=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") +TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}') +IP_PUBLIC=$(curl ipinfo.io/ip) +DEBUG_ENABLED="false" +``` + +
+ +Each setting is defined below: + +| Setting | Description | +| --- | --- | +| `ETH_ADAPTER` |
primary network adapter

| +| `TUN_ADAPTER` |
openvpn tunnel adapter

| +| `IP_PUBLIC` |
server's public ip address

| +| `DEBUG_ENABLED` |
debugging / better logs

| + +
+ +The script tries to automatically detect the values specified above, however, you can manually specify your own values. + +
+ +As an example, instead of automatically detecting your server's public IP address or ethernet adapters, you can specify your own by changing the following: + +```bash ignore +# old code +ETH_ADAPTER=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") +TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}') +IP_PUBLIC=$(curl ipinfo.io/ip) + +# manually specified ip +ETH_ADAPTER="eth0" +TUN_ADAPTER="tun0" +IP_PUBLIC="216.55.100.5" +``` + +
+ +After changing the values re-run `install.sh` + +
+ ---
diff --git a/patch/docker.sh b/patch/docker.sh index c57548c93..471c84750 100644 --- a/patch/docker.sh +++ b/patch/docker.sh @@ -53,14 +53,15 @@ END="\e[0m" # CSF_FILE_ALLOW : the defined allow list file # CSF_COMMENT : comment added to each whitelisted ip within iptables # DEBUG_ENABLED : debugging mode; throws prints during various steps +# IP_CONTAINERS : list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall # # DOCKER_INT="docker0" NETWORK_MANUAL_MODE="false" NETWORK_ADAPT_NAME="traefik" -CSF_FILE_ALLOW='/etc/csf/csf.allow' -CSF_COMMENT='Docker container whitelist' -DEBUG_ENABLED=true +CSF_FILE_ALLOW="/etc/csf/csf.allow" +CSF_COMMENT="Docker container whitelist" +DEBUG_ENABLED="true" # # # list > network ips @@ -69,7 +70,7 @@ DEBUG_ENABLED=true # whitelisted. # # -lst_ips=( +IP_CONTAINERS=( '172.17.0.0/16' ) @@ -369,13 +370,13 @@ echo -e echo -e " ${BOLD}${DEVGREY}+ POSTROUTING ${WHITE}Adding IPs from primary IP list${NORMAL}" -for j in "${!lst_ips[@]}"; do +for j in "${!IP_CONTAINERS[@]}"; do # # # get ip addresses # # - ip_block=${lst_ips[$j]} + ip_block=${IP_CONTAINERS[$j]} echo -e " ${BOLD}${WHITE} + ${YELLOW}${ip_block}${NORMAL}" diff --git a/patch/openvpn.sh b/patch/openvpn.sh index 4b8bd9175..ddeca89f0 100644 --- a/patch/openvpn.sh +++ b/patch/openvpn.sh @@ -37,7 +37,7 @@ export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ETH_ADAPTER=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}') IP_PUBLIC=$(curl ipinfo.io/ip) -DEBUG_ENABLED=true +DEBUG_ENABLED="false" # # # vars > colors