firewall/nft-nd-priv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fea1d9fdc00ee43e74904e32fb3bd04ee324e0f3
nft-nd-priv/install.sh
Christoph fea1d9fdc0 initial commit
2025-12-27 19:23:42 +01:00

72 lines
2.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
say(){ echo "[nft-fw-nd-priv] $*"; }
say "Creating directories..."
install -d -m 0755 /usr/local/sbin
say "Installing template..."
install -m 0644 "$REPO_DIR/templates/nftables.conf.in" /etc/nftables.conf.in
say "Installing scripts..."
install -m 0755 "$REPO_DIR/bin/fw-apply" /usr/local/sbin/fw-apply
install -m 0755 "$REPO_DIR/bin/fw-stop" /usr/local/sbin/fw-stop
say "Installing default config (won't overwrite existing)..."
if [[ ! -f /etc/default/nft-fw ]]; then
install -m 0644 "$REPO_DIR/etc-default/nft-fw-nd-priv" /etc/default/nft-fw
else
say "Config already exists at /etc/default/nft-fw (leaving as-is)."
fi
say "Installing systemd unit..."
install -m 0644 "$REPO_DIR/systemd/nft-fw.service" /etc/systemd/system/nft-fw.service
systemctl daemon-reload
systemctl enable nft-fw.service
say "Switching iptables binaries to nft backend (if available)..."
set_alt() {
local name="$1" target="$2"
if command -v update-alternatives >/dev/null 2>&1; then
if update-alternatives --list "$name" >/dev/null 2>&1; then
if update-alternatives --list "$name" | grep -qx "$target"; then
update-alternatives --set "$name" "$target" || true
say "Set alternative: $name -> $target"
fi
fi
fi
}
# Common paths on Debian/Ubuntu
set_alt iptables /usr/sbin/iptables-nft
set_alt ip6tables /usr/sbin/ip6tables-nft
set_alt arptables /usr/sbin/arptables-nft
set_alt ebtables /usr/sbin/ebtables-nft
say "Configuring fail2ban banaction for nftables (if installed)..."
if [[ -d /etc/fail2ban && -x /usr/bin/fail2ban-client ]]; then
install -d -m 0755 /etc/fail2ban/jail.d
cat > /etc/fail2ban/jail.d/nft-fw-nd-priv.local <<'JEOF'
[DEFAULT]
# Prefer nftables actions when the system uses nft backend
banaction = nftables-multiport
banaction_allports = nftables-allports
JEOF
say "Wrote /etc/fail2ban/jail.d/nft-fw-nd-priv.local"
systemctl restart fail2ban || true
else
say "fail2ban not found; skipping."
fi
say "Applying firewall now..."
/usr/local/sbin/fw-apply
say "Done. Edit /etc/default/nft-fw-nd-priv and re-run: fw-apply"
Reference in New Issue View Git Blame Copy Permalink