commit a9f8d69d1df480ce7bd87036db187cf0e5467e8b Author: Your Name Date: Sun Dec 12 13:39:23 2021 +0000 inicial diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a22bbd7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +domain.crt +domain.csr +domain.key +domain.pem diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..8d1c713 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,11 @@ +FROM ubuntu:20.04 +RUN export DEBIAN_FRONTEND=noninteractive \ + && apt-get update -y -qq \ + && apt-get install -y \ + curl jq toilet colorized-logs rsync \ + dnsutils iputils-ping traceroute iproute2 iptables tcpdump \ + openvpn \ + transmission-daemon \ + && apt-get autoremove -y \ + && apt-get clean -y \ + && rm -rf /var/lib/apt/lists/* /var/cache/apt/* diff --git a/README b/README new file mode 100644 index 0000000..cfd1dfb --- /dev/null +++ b/README @@ -0,0 +1,13 @@ +# Como funciona a parada: + +Wireguard (final 254) passa a ser a única rota de saída do Acu +O Acu é acessado através do Haproxy (que tem acesso direto à net) + +# Alterações realizadas nos containers + +- Wireguard teve adicionado o pacote do IPtables e um script de boot que configura +o mascaramento de IP a partir de qualquer interface. + +- Accunetix teve o script de boot awvs.sh modificado para modificar as rotas padrão +para sair pela VPN + diff --git a/acunetix/.gitignore b/acunetix/.gitignore new file mode 100644 index 0000000..a9e8eaa --- /dev/null +++ b/acunetix/.gitignore @@ -0,0 +1,2 @@ +license +licensetar.gz diff --git a/awvs.sh b/awvs.sh new file mode 100755 index 0000000..5be09cd --- /dev/null +++ b/awvs.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +clear +echo -e "\033[1;31m ___ _ ___ _______ \033[0m" +echo -e "\033[1;32m / | | / / | / / ___/ \033[0m" +echo -e "\033[1;33m / /| | | /| / /| | / /\__ \\ \033[0m" +echo -e "\033[1;34m / ___ | |/ |/ / | |/ /___/ / \033[0m" +echo -e "\033[1;35m /_/ |_|__/|__/ |___//____/ \033[0m" +echo -e "\033[1;36m \033[0m" +echo -e "\033[1;34m -------------- \033[0m" +echo -e "\033[1;31m Thank's fahai && Open Source Enthusiast \n\033[0m" +echo -e "\033[1;32m [ help ] \033[0m" +echo -e "\033[1;35m [ https://www.fahai.org/index.php/archives/146/ ] \033[0m" +echo -e "\033[1;33m [ https://github.com/XRSec/AWVS14-Update ] \n\033[0m" +echo -e "\033[1;34m [ https://awvs.vercel.app/ ] \n\033[0m" + +cat /awvs/acunetix/.hosts >> /etc/hosts +cat /etc/hosts | grep acunetix +route del -net default +route add -net default gw 10.255.252.254 +su -l acunetix -c /home/acunetix/.acunetix/start.sh diff --git a/create-networks.sh b/create-networks.sh new file mode 100755 index 0000000..17edb3b --- /dev/null +++ b/create-networks.sh @@ -0,0 +1,4 @@ +#docker network create --subnet 10.255.252.0/24 vpn +docker network create --subnet 10.255.251.0/24 pg_opn +docker network create --subnet 10.255.252.0/24 pg_vpn +docker network create --internal --subnet 10.255.253.0/24 pg_bus diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..5b7c855 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,69 @@ +version: '3' + +services: + + wireguard: + build: images/wireguard + container_name: wireguard + privileged: true +# ports: +# - "3443:3443" + cap_add: + - NET_ADMIN + - SYS_MODULE + environment: + - PUID=1000 + - PGID=1000 + sysctls: + - net.ipv4.conf.all.src_valid_mark=0 + - net.ipv6.conf.all.disable_ipv6=0 + - net.ipv4.ip_forward=1 +# restart: unless-stopped + volumes: + - ./wireguard/wg0.conf:/config/wg0.conf + - /lib/modules:/lib/modules + - ./iptables.sh:/config/custom-cont-init.d/iptables.sh + networks: + pg_opn: + ipv4_address: 10.255.251.254 + pg_vpn: + ipv4_address: 10.255.252.254 + + acunetix: + build: images/acunetix + container_name: acunetix + privileged: true + restart: unless-stopped + #ports: + # - "3443:3443" + volumes: + - ./acunetix/license:/home/acunetix/.acunetix/data/license + - ./awvs.sh:/awvs/awvs.sh + depends_on: + - wireguard + networks: + pg_vpn: + ipv4_address: 10.255.252.252 + + proxy: + image: haproxytech/haproxy-alpine + restart: always + ports: + - "3443:3443" + volumes: + - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg + - ./domain.pem:/domain.pem + networks: + pg_opn: + ipv4_address: 10.255.251.253 + pg_vpn: + ipv4_address: 10.255.252.253 + + +networks: + pg_opn: + external: + name: pg_opn + pg_vpn: + external: + name: pg_vpn diff --git a/haproxy.cfg b/haproxy.cfg new file mode 100644 index 0000000..7bb0e33 --- /dev/null +++ b/haproxy.cfg @@ -0,0 +1,14 @@ +global +defaults + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +frontend http-in + bind :3443 ssl crt /domain.pem + default_backend main + +backend main + mode http + server main 10.255.252.252:3443 ssl verify none + diff --git a/images/acunetix/Dockerfile b/images/acunetix/Dockerfile new file mode 100644 index 0000000..35eb02e --- /dev/null +++ b/images/acunetix/Dockerfile @@ -0,0 +1,6 @@ +FROM xrsec/awvs + +RUN apt-get -y update && \ + apt-get -y install net-tools && \ + apt-get -y clean && \ + rm -rf /var/lib/apt/lists/* diff --git a/images/wireguard/Dockerfile b/images/wireguard/Dockerfile new file mode 100644 index 0000000..e3617e1 --- /dev/null +++ b/images/wireguard/Dockerfile @@ -0,0 +1,6 @@ +FROM linuxserver/wireguard + +RUN apt-get -y update && \ + apt-get -y install iptables && \ + apt-get -y clean && \ + rm -rf /var/lib/apt/lists/* diff --git a/iptables.sh b/iptables.sh new file mode 100755 index 0000000..92155bc --- /dev/null +++ b/iptables.sh @@ -0,0 +1,2 @@ +#!/bin/bash +iptables -t nat -A POSTROUTING -j MASQUERADE diff --git a/wireguard/.gitignore b/wireguard/.gitignore new file mode 100644 index 0000000..8c4cb47 --- /dev/null +++ b/wireguard/.gitignore @@ -0,0 +1 @@ +wg0.conf diff --git a/wireguard/wg0.conf.example b/wireguard/wg0.conf.example new file mode 100644 index 0000000..1649906 --- /dev/null +++ b/wireguard/wg0.conf.example @@ -0,0 +1,11 @@ +[Interface] +PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXX +Address = XXXXXXXXXXXXXXX +DNS = XXXXXXXXXXXXXXXXX +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE + +[Peer] +PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXX +AllowedIPs = 0.0.0.0/0,::0/0 +Endpoint = XXXXXXXXXXXXXXXXXXXXX