search

walterl / proton-privoxy

Privoxy over ProtonVPN in Docker
MIT License
106 stars 25 forks source link

Add permanent kill switch and redirect stderr and stdout for up check #41

Open ProgramComputer opened 1 year ago

ProgramComputer commented 1 year ago

linux-cli-community may be unmantained. Resolves #5 by adding package iptables.

Adds experimental kill-switch separate from the cli to container. Permanent kill switch is set to default. The killswitch is ip-agnostic relying on processes and interfaces(eth0 and proton0) and supports ipv6 from using nftables.

Below was the initial nfttable configure file but took space using sets even when size of 65535 is sufficient above 128, it would hinder configurability. Privoxy also recommends not to run as root. Finally manually enabling the cli killswitch may cause unexpected results. Not tested in swarm mode. 

#!/bin/env net -f
table inet filter {
  set eth0_clients4 {                                                 
        type ipv4_addr  
  size 65535                                              
        flags timeout         
gc-interval 1d                           
    }           

set eth0_clients6 {                                                 
        type ipv6_addr    
  size 65535                                            
        flags timeout          
gc-interval 1d                          
    }           

    chain input {
        type filter hook input priority 0; policy drop;
    iif lo accept
        # Add IP addresses to the eth0_clients set when clients connect
        add @eth0_clients4 {ip saddr} 
        add @eth0_clients6 {ip6 saddr} 

        # Allow incoming traffic from eth0 to Privoxy (IPv4)
        iifname "eth0" ip saddr @eth0_clients4 accept

        # Allow incoming traffic from eth0 to Privoxy (IPv6)
        iifname "eth0" ip6 saddr @eth0_clients6 accept

        # Allow established and related traffic
        ct state established,related accept

        # Drop everything else
        drop
    }

   chain output {
    type filter hook output priority 0; policy drop;

    oif lo accept
    oif eth0 skuid root accept

          # Allow established and related traffic
    ct state established,related accept

# Drop eth0 loopbacks
    ip saddr @eth0_clients4 drop
    ip6 saddr @eth0_clients6 drop
    # Remove IP addresses from the eth0_clients set when traffic goes out on proton0 (IPv4)
     oifname proton0 ip daddr @eth0_clients4 
    delete @eth0_clients4  {ip daddr }

    # Remove IP addresses from the eth0_clients set when traffic goes out on proton0 (IPv6)
     oifname proton0 ip6 daddr @eth0_clients6 
    delete @eth0_clients6  {ip6 daddr }

    # Allow outgoing traffic on the proton0 interface 
    oifname "proton0" accept

    # Drop everything else
    drop
}

}

Minor change was from seeing #36 and preventing some redundant output.