Configure Patches ¶

Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.

Docker¶

The Docker patch has a few settings that must be modified. To change these settings, open the file:

sudo nano /patch/docker.sh

Find the following settings:

# #

app_dir_this_a="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"     # current script full path
app_dir_this_b="${PWD}"                                                             # current script full path (alternative)
app_file_this=$(basename "$0")                                                      # docker.sh (with ext)
app_file_bin="${app_file_this%.*}"                                                  # docker (without ext)
app_pid=$BASHPID                                                                    # app pid
app_title="ConfigServer Firewall - Docker Patch"                                    # app title; displayed with --version
app_about="Sets up your firewall rules to work with Docker and Traefik. \n"\
"     This script requires that you have iptables installed on your system. \n"\
"     The required packages will be installed if you do not have them."             # app about; displayed with --version
app_ver=("14" "24" "0")                                                             # current script version

# #
#   define > configs

The settings are outlined below:

Setting	Description
`DOCKER_INT`	main docker network interface
`CSF_FILE_ALLOW`	Path to your `csf.allow` file
`CSF_COMMENT`	comment added to each new whitelisted docker ip
`DEBUG_ENABLED`	debugging / better logs
`IP_CONTAINERS`	list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall

Settings¶

Each individual setting with a detailed description

DOCKER_INT¶

2.0.0 docker0

The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command

ip link show

Output

4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff

CSF_FILE_ALLOW¶

2.0.0 /etc/csf/csf.allow

The full path to your ConfigServer's csf.allow file. Each time an IP from one of your docker containers is detected, the IP will be whitelisted in ConfigServer Firewall.

docker.sh

CSF_FILE_ALLOW="/etc/csf/csf.allow"

CSF_COMMENT¶

2.0.0 Docker container whitelist

This is the comment that will be appended to each IP that is added to your ConfigServer's allow.csf whitelist file.

docker.shcsf.allow

CSF_COMMENT="Docker container whitelist"

172.18.0.21 # Docker container whitelist - Fri Jun 7 11:43:00 2024
172.18.0.12 # Docker container whitelist - Fri Jun 7 11:43:01 2024
172.18.0.11 # Docker container whitelist - Fri Jun 7 11:43:01 2024

DEBUG_ENABLED¶

2.0.0 false

If set true, additional information will be printed to terminal when the user executes sudo csf -ra

docker.sh

DEBUG_ENABLED="false"

IP_CONTAINERS¶

2.0.0 172.17.0.0/16

A list of IP blocks that you use within docker for container assignment.

docker.sh

IP_CONTAINERS=(
    '172.17.0.0/16'
)

OpenVPN¶

The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:

sudo nano /patch/openvpn.sh

Find the following settings:

ETH_ADAPTER=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//")
TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}')
IP_PUBLIC=$(curl -s ipinfo.io/ip)
DEBUG_ENABLED="false"

# #
#   list > vpn ips
#
#   this is the IP pool assigned to a user who connects to your vpn server
# #

IP_POOL=(
    '10.8.0.0/24'
)

The settings are outlined below:

Setting	Description
`ETH_ADAPTER`	name of primary network adapter
`TUN_ADAPTER`	name of OpenVPN tunnel adapter
`IP_PUBLIC`	public IP to your server
`DEBUG_ENABLED`	debugging / better logs
`IP_POOL`	list of subnets assigned to your OpenVPN server

Settings¶

Each individual setting with a detailed description

ETH_ADAPTER¶

2.0.0 $(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//")

The name of your primary server network adapter. This is usually eth*, enp*, etc.

openvpn.sh

ETH_ADAPTER=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//")

The default value attempts to auto-detect your network adapter name, however, you can specify the name manually:

openvpn.sh

ETH_ADAPTER="eth0"

You can usually find your main network adapter with the command:

TerminalOutput

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet XX.XX.XX.XX  netmask 255.255.248.0  broadcast XX.XX.XX.XX
        inet6 ea24::a1bd:ef15:15a5:aae  prefixlen 64  scopeid 0x20<link>
        ether 01:15:72:15:2a:ab  txqueuelen 1000  (Ethernet)
        RX packets 101924006  bytes 383095603887 (383.0 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 100519601  bytes 134852355384 (134.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 7741770  bytes 2099091655 (2.0 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7741770  bytes 2099091655 (2.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

TUN_ADAPTER¶

2.0.0 $(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}')

The name of the primary OpenVPN tunnel adapter name. This is usually tun*.

openvpn.sh

TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}')

The default value attempts to auto-detect your tunnel adapter name, however, you can specify the tunnel name manually:

openvpn.sh

TUN_ADAPTER="tun0"

You can usually find your main network adapter with the command:

TerminalOutput

ifconfig

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::d70f:d8a8:32ab:1292  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 620722  bytes 134501334 (134.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1449168  bytes 1756905789 (1.7 GB)
        TX errors 0  dropped 37128 overruns 0  carrier 0  collisions 0

IP_PUBLIC¶

2.0.0 $(curl -s ipinfo.io/ip)

The public IP address of your server.

openvpn.sh

IP_PUBLIC=$(curl -s ipinfo.io/ip)

The default value attempts to auto-detect your public IP address, however, you can specify the ip manually:

openvpn.sh

IP_PUBLIC="204.22.36.22"

There are a few ways that you can obtain your server's public IP address:

Method 1Method 2Method 3

wget -q -O - ipinfo.io/ip

# 204.22.36.22

sudo apt-get install lynx -y
lynx -source ipinfo.io/ip

# 204.22.36.22

curl ipinfo.io/ip

# 204.22.36.22

DEBUG_ENABLED¶

2.0.0 false

If set true, additional information will be printed to terminal when the patch is ran.

docker.sh

DEBUG_ENABLED="false"

IP_POOL¶

2.0.0 10.8.0.0/24

A list of subnets assigned to your OpenVPN server.

docker.sh

IP_POOL=(
    '10.8.0.0/24'
)