#!/usr/bin/env bash set -euo pipefail REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" say(){ echo "[nft-fw-nd-priv] $*"; } say "Creating directories..." install -d -m 0755 /usr/local/sbin say "Installing template..." install -m 0644 "$REPO_DIR/templates/nftables.conf.in" /etc/nftables.conf.in say "Installing scripts..." install -m 0755 "$REPO_DIR/bin/fw-apply" /usr/local/sbin/fw-apply install -m 0755 "$REPO_DIR/bin/fw-stop" /usr/local/sbin/fw-stop say "Installing default config (won't overwrite existing)..." if [[ ! -f /etc/default/nft-fw ]]; then install -m 0644 "$REPO_DIR/etc-default/nft-fw-nd-priv" /etc/default/nft-fw else say "Config already exists at /etc/default/nft-fw (leaving as-is)." fi say "Installing systemd unit..." install -m 0644 "$REPO_DIR/systemd/nft-fw.service" /etc/systemd/system/nft-fw.service systemctl daemon-reload systemctl enable nft-fw.service say "Switching iptables binaries to nft backend (if available)..." set_alt() { local name="$1" target="$2" if command -v update-alternatives >/dev/null 2>&1; then if update-alternatives --list "$name" >/dev/null 2>&1; then if update-alternatives --list "$name" | grep -qx "$target"; then update-alternatives --set "$name" "$target" || true say "Set alternative: $name -> $target" fi fi fi } # Common paths on Debian/Ubuntu set_alt iptables /usr/sbin/iptables-nft set_alt ip6tables /usr/sbin/ip6tables-nft set_alt arptables /usr/sbin/arptables-nft set_alt ebtables /usr/sbin/ebtables-nft say "Configuring fail2ban banaction for nftables (if installed)..." if [[ -d /etc/fail2ban && -x /usr/bin/fail2ban-client ]]; then install -d -m 0755 /etc/fail2ban/jail.d cat > /etc/fail2ban/jail.d/nft-fw-nd-priv.local <<'JEOF' [DEFAULT] # Prefer nftables actions when the system uses nft backend banaction = nftables-multiport banaction_allports = nftables-allports JEOF say "Wrote /etc/fail2ban/jail.d/nft-fw-nd-priv.local" systemctl restart fail2ban || true else say "fail2ban not found; skipping." fi say "Applying firewall now..." /usr/local/sbin/fw-apply say "Done. Edit /etc/default/nft-fw-nd-priv and re-run: fw-apply"