firewall/nft-nd-priv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Christoph
2025-12-27 19:23:42 +01:00
commit fea1d9fdc0
8 changed files with 328 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
install.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/usr/bin/env bash
set -euo pipefail
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
say(){ echo "[nft-fw-nd-priv] $*"; }
say "Creating directories..."
install -d -m 0755 /usr/local/sbin
say "Installing template..."
install -m 0644 "$REPO_DIR/templates/nftables.conf.in" /etc/nftables.conf.in
say "Installing scripts..."
install -m 0755 "$REPO_DIR/bin/fw-apply" /usr/local/sbin/fw-apply
install -m 0755 "$REPO_DIR/bin/fw-stop" /usr/local/sbin/fw-stop
say "Installing default config (won't overwrite existing)..."
if [[ ! -f /etc/default/nft-fw ]]; then
install -m 0644 "$REPO_DIR/etc-default/nft-fw-nd-priv" /etc/default/nft-fw
else
say "Config already exists at /etc/default/nft-fw (leaving as-is)."
fi
say "Installing systemd unit..."
install -m 0644 "$REPO_DIR/systemd/nft-fw.service" /etc/systemd/system/nft-fw.service
systemctl daemon-reload
systemctl enable nft-fw.service
say "Switching iptables binaries to nft backend (if available)..."
set_alt() {
local name="$1" target="$2"
if command -v update-alternatives >/dev/null 2>&1; then
if update-alternatives --list "$name" >/dev/null 2>&1; then
if update-alternatives --list "$name" | grep -qx "$target"; then
update-alternatives --set "$name" "$target" || true
say "Set alternative: $name -> $target"
fi
fi
fi
}
# Common paths on Debian/Ubuntu
set_alt iptables /usr/sbin/iptables-nft
set_alt ip6tables /usr/sbin/ip6tables-nft
set_alt arptables /usr/sbin/arptables-nft
set_alt ebtables /usr/sbin/ebtables-nft
say "Configuring fail2ban banaction for nftables (if installed)..."
if [[ -d /etc/fail2ban && -x /usr/bin/fail2ban-client ]]; then
install -d -m 0755 /etc/fail2ban/jail.d
cat > /etc/fail2ban/jail.d/nft-fw-nd-priv.local <<'JEOF'
[DEFAULT]
# Prefer nftables actions when the system uses nft backend
banaction = nftables-multiport
banaction_allports = nftables-allports
JEOF
say "Wrote /etc/fail2ban/jail.d/nft-fw-nd-priv.local"
systemctl restart fail2ban || true
else
say "fail2ban not found; skipping."
fi
say "Applying firewall now..."
/usr/local/sbin/fw-apply
say "Done. Edit /etc/default/nft-fw-nd-priv and re-run: fw-apply"