Prepare ip6t-firewall-server for making nftables ready later on.

Make IPv4 firewall nftables ready.
2026-01-14 17:47:53 +01:00 · 2026-01-14 17:46:20 +01:00
4 changed files with 726 additions and 358 deletions
--- a/conf/default_settings.conf
+++ b/conf/default_settings.conf
@@ -13,7 +13,6 @@ default_per_IP_connection_limit=111

 standard_checkmk_port=6556
 standard_cpan_wait_port=1404
-standard_cups_port=$standard_ipp_port
 standard_dns_port=53
 standard_ftp_port=21
 standard_ftp_data_port=20
@@ -23,6 +22,7 @@ standard_http_port=80
 standard_https_port=443
 standard_ident_port=113
 standard_ipp_port=631
+standard_cups_port=$standard_ipp_port
 standard_irc_port=6667
 standard_jabber_port=5222
 standard_ldap_port=389
--- a/conf/include_functions.conf
+++ b/conf/include_functions.conf
@@ -1,5 +1,13 @@
 #!/usr/bin/env bash

+# - Set firewall command (either iptables or ip6tables)
+#
+if [[ -x "${ip6t}" ]] ; then
+   fw_command="${ip6t}"
+elif [[ -x "${ipt}" ]] ; then
+   fw_command="${ipt}"
+fi 
+
 # -------------
 # --- Some functions
 # -------------
@@ -82,3 +90,167 @@ trim() {
    echo -n "$var"
 }

+
+is_container() {
+  command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
+}
+
+
+# -------------
+# - IPv6 handling
+# -------------
+
+ENABLE_IPV6="auto"   # auto | yes | no
+IPV6_ACTIVE=0
+
+ipv6_sysctl_enabled() {
+  sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
+}
+
+has_ipv6_addr() {
+  ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
+}
+
+detect_ipv6() {
+  case "$ENABLE_IPV6" in
+    yes)  return 0 ;;
+    no)   return 1 ;;
+    auto) ipv6_sysctl_enabled ;;
+    *)    return 1 ;;
+  esac
+}
+
+
+# -------------
+# - Fail2ban
+# -------------
+
+FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
+FAIL2BAN_WAS_RUNNING=false
+fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
+has_fail2ban() {
+   command -v fail2ban-client >/dev/null 2>&1
+}
+
+fail2ban_running() {
+   systemctl is-active --quiet fail2ban >/dev/null 2>&1
+}
+
+# -------------
+# - Debian 12/13 compatibility helpers (best effort)
+# -------------
+ensure_mod() {
+
+   # ---
+   # Load a kernel module if possible (no hard failure).
+   # NOTE: In containers module loading is not possible; modules must be loaded on the host.
+   # ---
+
+   local m="$1"
+
+   # Already loaded?
+   if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
+      return 0
+   fi
+
+   # Skip in containers/guests without module loading capability
+   #
+   is_container && return 0
+
+   # Best effort modprobe
+   /sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
+}
+
+# --- Feature detection helpers (Debian 12/13 + containers)
+module_loaded() {
+   lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
+}
+
+can_use_recent() {
+   # xt_recent is the kernel module behind "-m recent"
+   # In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
+   module_loaded xt_recent && return 0
+   [ -d /proc/net/xt_recent ] && return 0
+   # As a last resort, ask iptables to parse the match (works if userspace has it)
+   "$ipt" -m recent -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_hashlimit() {
+   # xt_hashlimit is the kernel module behind "-m hashlimit"
+   module_loaded xt_hashlimit && return 0
+   [ -d /proc/net/xt_hashlimit ] && return 0
+   "${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_connlimit() {
+   # xt_connlimit is the kernel module behind "-m connlimit"
+   module_loaded xt_connlimit && return 0
+   "${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_owner() {
+   # xt_owner is the kernel module behind "-m owner"
+   module_loaded xt_owner && return 0
+   "${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_ct_target() {
+   # Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
+   "${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_helper_match() {
+   # Check if helper match exists
+   "${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_nft() {
+   command -v nft >/dev/null 2>&1 && return 0
+   return 1
+}
+
+setup_ftp_conntrack_helper_output() {
+   # Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
+   if can_use_ct_target ; then
+      "${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
+      return 0
+   fi
+
+   # nft fallback (nft-native helper assignment); keeps us "nft-ready"
+   if can_use_nft ; then
+      # Best-effort; may fail in containers without CAP_NET_ADMIN
+      nft add table ip fwhelper >/dev/null 2>&1 || true
+      nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
+      nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
+      nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
+   fi
+
+   warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
+   return 1
+}
+
+setup_ftp_conntrack_helper_prerouting() {
+   # Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
+   if can_use_ct_target ; then
+      "$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
+      return 0
+   fi
+
+   # nft fallback (nft-native helper assignment); keeps us "nft-ready"
+   if can_use_nft ; then
+      nft add table ip fwhelper >/dev/null 2>&1 || true
+      nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
+      nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
+      nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
+   fi
+
+   warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
+   return 1
+}
+
--- a/185
+++ b/185
@@ -1,14 +1,4 @@
 #!/usr/bin/env bash
-### BEGIN INIT INFO
-# Provides:          ip6t-firewall
-# Required-Start:    $local_fs $remote_fs $syslog $network $time
-# Required-Stop:     $local_fs $remote_fs $syslog $network
-# Should-Start:
-# Should-Stop:
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: IPv6 Firewall
-### END INIT INFO


 # -------------
@@ -28,17 +18,8 @@ conf_main=${ipt_conf_dir}/main_ipv6.conf
 conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
 conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"

-ip6t=$(which ip6tables)
-
-if [[ -z "$fail2ban_client" ]]; then
-   fail2ban_client="$(which fail2ban-client)"
-fi
-
-
-# -------------
-# - Some checks and preloads..
-# -------------

+ip6t="$(command -v ip6tables 2>/dev/null)"

 if [[ -z "$ip6t" ]] ; then
   echo ""
@@ -49,6 +30,17 @@ if [[ -z "$ip6t" ]] ; then
   exit 1
 fi

+
+# -------------
+# - Load Default Settings and Functions
+# -------------
+
+if [[ ! -f "$conf_default_settings" ]]; then
+   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
+else
+   source $conf_default_settings
+fi
+
 if [[ ! -f "$inc_functions_file" ]] ; then
   echo ""
   echo -e "\tMissing include file '$inc_functions_file'"
@@ -61,6 +53,37 @@ else
 fi


+# -------------
+# - Some checks and preloads..
+# -------------
+
+# Check IPv6 presence
+if detect_ipv6; then
+  IPV6_ACTIVE=1
+  if has_ipv6_addr; then
+   info "IPv6 enabled (global address present)."
+  else
+    warn "IPv6 enabled but no global address configured yet."
+  fi
+else
+  IPV6_ACTIVE=0
+  warn "IPv6 disabled via sysctl."
+fi
+
+# Fail if ip6tables points to legacy (helps avoid surprises on dual-stack hosts / fail2ban)
+if command -v ip6tables >/dev/null 2>&1; then
+   if ! ip6tables --version 2>/dev/null | grep -q "nf_tables"; then
+      echo ""
+      echo "ERROR: ip6tables is NOT using nf_tables backend (ip6tables-nft)."
+      echo "Fix (on the host, as root):"
+      echo "  update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
+      echo ""
+      echo "Current: $(ip6tables --version 2>/dev/null || echo 'unknown')"
+      exit 1
+   fi
+fi
+
+
 # - Check if running inside a container
 # -
 host_is_vm=false
@@ -88,22 +111,34 @@ else
 fi


-if [[ ! -f "$load_modules_file" ]] ; then
-   warn "No modules for loading configured. Missing file '$load_modules_file'!"
+# -------------
+# --- Ensure required modules for this script (best effort; host-side in containers)
+# -------------
+
+
+echo
+echononl "\tEnsure required modules are loaded.."
+if is_container ; then
+   echo_skipped
 else
+   echo_done
+fi

-   if ! $host_is_vm ; then
+ensure_mod nf_conntrack
+ensure_mod nf_nat
+ensure_mod nf_conntrack_ftp
+ensure_mod nf_nat_ftp
+ensure_mod xt_recent
+ensure_mod xt_hashlimit
+ensure_mod xt_connlimit
+ensure_mod xt_owner
+ensure_mod xt_helper
+ensure_mod br_netfilter

-      while read -r module ; do
-         if ! lsmod | grep -q -E "^$module\s+" ; then
-            /sbin/modprobe  $module > /dev/null 2>&1
-            if [[ "$?" != "0" ]]; then
-               warn "Loading module '$module' failed!"
-            fi
-         fi
-      done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
-   fi

+# Disable automatic conntrack helper assignment (keep explicit CT --helper rules)
+if ! $host_is_vm ; then
+   sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true
 fi

 if [[ ! -f "$conf_logging" ]]; then
@@ -112,12 +147,6 @@ else
   source $conf_logging
 fi

-if [[ ! -f "$conf_default_settings" ]]; then
-   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
-else
-   source $conf_default_settings
-fi
-
 if [[ ! -f "$conf_interfaces" ]]; then
   fatal "Missing interface configurations  - file '$conf_interfaces'"
 else
@@ -198,14 +227,25 @@ fi # if ! $host_is_vm

 # ------------- Stop Fail2Ban if installed -------------
 #
-if [ -x "$fail2ban_client" ]; then
-   echononl "\tStopping fail2ban.."
-   $fail2ban_client stop > /dev/null 2>&1
-   if [ "$?" = "0" ];then
-      echo_done
+echo
+echononl "\tCheck presence and configuration of Fail2ban .."
+echo_done
+if ! has_fail2ban ; then
+   warn "Fail2ban is not installed.."
+elif ! fail2ban_running ; then
+   warn "Fail2ban is installed but not running.."
+else
+   CURRENT_BANACTION=$(grep -E '^\s*banaction\s*=' "$FAIL2BAN_CONFIG_FILE" | head -1 | tr -d ' ' | cut -d'=' -f2)
+   if [[ -n ${CURRENT_BANACTION} ]] ; then
+      if [ "$CURRENT_BANACTION" = "nftables" ]; then
+         info "Fail2ban is running, banaction is et to nftables."
      else
-      echo_warning
+         warn "Change banaction from ${CURRENT_BANACTION} to \033[1mbanaction=nftables\033[m"
      fi
+   else
+      warn "banaction seems not to be configured. Take care that \033[1mbanaction=nftables\033[m"
+   fi
+   FAIL2BAN_WAS_RUNNING=true
 fi
 #
 # ------------- Ende: Stop Fail2Ban if installed -------------
@@ -708,14 +748,12 @@ echo_done
 # ---

 echononl "\tDrop all ICMP traffic.."
+echo_skipped
+
 if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
-   if $log_rejected || $log_all ; then
-      $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
-   fi
-   $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j DROP
-   echo_done
-else
-   echo_skipped
+
+   warn " No ICMPv6 packets were dropped - they are essential."
+
 fi


@@ -858,6 +896,28 @@ fi

 echo_done

+echononl "\tICMPv6 - mandatory for IPv6 to work correctly!"
+
+# ICMPv6 essentials (numbers to be compatible with ip6tables-nft)
+# 1  = destination-unreachable
+# 2  = packet-too-big
+# 3  = time-exceeded
+# 4  = parameter-problem
+# 128= echo-request
+# 129= echo-reply
+# 133= router-solicitation
+# 134= router-advertisement
+# 135= neighbor-solicitation
+# 136= neighbor-advertisement
+for t in 1 2 3 4 128 129 133 134 135 136; do
+   $ip6t -A INPUT  -p ipv6-icmp --icmpv6-type $t -j ACCEPT
+   $ip6t -A OUTPUT -p ipv6-icmp --icmpv6-type $t -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      $ip6t -A FORWARD -p  ipv6-icmp --icmpv6-type "$t" -j ACCEPT
+   fi
+done
+
+echo_done

 # ---
 # - Protection against syn-flooding
@@ -2836,20 +2896,31 @@ echo_done


 # -------------
-# ------------- Start Fail2Ban if installed
+# ------------- Reload Fail2Ban if installed
 # -------------

-if [ -x "$fail2ban_client" ]; then
+if ${FAIL2BAN_WAS_RUNNING}; then
   echo
-   echononl "\tStarting fail2ban.."
-   $fail2ban_client start > /dev/null 2>&1
-   if [ "$?" = "0" ];then
+   echononl "\tReloading fail2ban.."
+   $fail2ban_client reload > /dev/null 2>&1
+   if [ "$?" = "0" ]; then
      echo_done
   else
-      echo_failed
+      # Fallback: reload + restart jails if needed
+      $fail2ban_client reload --restart > /dev/null 2>&1
+      if [ "$?" = "0" ]; then
+         echo_done
+      else
+         echo_skipped
+         warn "Fail2ban reload failed. Leaving fail2ban unchanged. Check: fail2ban-client -d and /var/log/fail2ban.log"
      fi
+   fi
+else
+   # fail2ban not running before; do not start it here
+   :
 fi

+
 echo
 exit 0

--- a/635
+++ b/635
Author	SHA1	Message	Date
Christoph	b35a3f3261	Prepare ip6t-firewall-server for making nftables ready later on.	2026-01-14 17:47:53 +01:00
Christoph	cea43cd7fa	Make IPv4 firewall nftables ready.	2026-01-14 17:46:20 +01:00