RaspAP · billz · Jan 9, 2024 · Jan 1, 2024 · Jan 1, 2024 · Jan 1, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,6 @@
-FROM jrei/systemd-debian:10
+FROM jrei/systemd-debian:12
 RUN apt update && apt install -y sudo wget procps curl systemd && rm -rf /var/lib/apt/lists/*
-COPY setup.sh .
+RUN curl -sL https://install.raspap.com | bash -s -- --yes --wireguard 1 --openvpn 1 --adblock 1
+COPY firewall-rules.sh /home/firewall-rules.sh
+RUN chmod +x /home/firewall-rules.sh
+CMD /home/firewall-rules.sh
diff --git a/README.md b/README.md
@@ -7,8 +7,20 @@ A community-led docker container for RaspAP
 # Usage
 ```
 docker run --name raspap -it -d --privileged --network=host -v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add SYS_ADMIN jrcichra/raspap-docker
-docker exec -it raspap bash
-$ ./setup.sh
-docker restart raspap
 Web GUI should be accessible on http://localhost by default
 ```
+## Workaround for arm devices
+To use this container on arm devices you have to make cgroups writable:
+```
+docker run --name raspap -it -d --privileged --network=host --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add SYS_ADMIN jrcichra/raspap-docker
+Web GUI should be accessible on http://localhost by default
+```
+## Allow WiFi-clients to connect to LAN and internet
+Because of docker isolation and security defaults the following rules must be added on the docker host:
+```
+iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
+iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
+iptables-save
+```
diff --git a/firewall-rules.sh b/firewall-rules.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
+iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
+iptables-save
diff --git a/setup.sh b/setup.sh