Prepare ip6t-firewall-server for making nftables ready later on.

Make IPv4 firewall nftables ready.
2026-01-14 17:47:53 +01:00 · 2026-01-14 17:46:20 +01:00
4 changed files with 726 additions and 358 deletions
--- a/conf/default_settings.conf
+++ b/conf/default_settings.conf
@@ -13,7 +13,6 @@ default_per_IP_connection_limit=111
 standard_checkmk_port=6556
 standard_cpan_wait_port=1404
 standard_cups_port=$standard_ipp_port
 standard_dns_port=53
 standard_ftp_port=21
 standard_ftp_data_port=20
@@ -23,6 +22,7 @@ standard_http_port=80
 standard_https_port=443
 standard_ident_port=113
 standard_ipp_port=631
 standard_cups_port=$standard_ipp_port
 standard_irc_port=6667
 standard_jabber_port=5222
 standard_ldap_port=389
--- a/conf/include_functions.conf
+++ b/conf/include_functions.conf
@@ -1,5 +1,13 @@
 #!/usr/bin/env bash
 # - Set firewall command (either iptables or ip6tables)
 #
 if [[ -x "${ip6t}" ]] ; then
   fw_command="${ip6t}"
 elif [[ -x "${ipt}" ]] ; then
   fw_command="${ipt}"
 fi 
 # -------------
 # --- Some functions
 # -------------
@@ -82,3 +90,167 @@ trim() {
    echo -n "$var"
 }
 is_container() {
  command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
 }
 # -------------
 # - IPv6 handling
 # -------------
 ENABLE_IPV6="auto"   # auto | yes | no
 IPV6_ACTIVE=0
 ipv6_sysctl_enabled() {
  sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
 }
 has_ipv6_addr() {
  ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
 }
 detect_ipv6() {
  case "$ENABLE_IPV6" in
    yes)  return 0 ;;
    no)   return 1 ;;
    auto) ipv6_sysctl_enabled ;;
    *)    return 1 ;;
  esac
 }
 # -------------
 # - Fail2ban
 # -------------
 FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
 FAIL2BAN_WAS_RUNNING=false
 fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
 has_fail2ban() {
   command -v fail2ban-client >/dev/null 2>&1
 }
 fail2ban_running() {
   systemctl is-active --quiet fail2ban >/dev/null 2>&1
 }
 # -------------
 # - Debian 12/13 compatibility helpers (best effort)
 # -------------
 ensure_mod() {
   # ---
   # Load a kernel module if possible (no hard failure).
   # NOTE: In containers module loading is not possible; modules must be loaded on the host.
   # ---
   local m="$1"
   # Already loaded?
   if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
      return 0
   fi
   # Skip in containers/guests without module loading capability
   #
   is_container && return 0
   # Best effort modprobe
   /sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
 }
 # --- Feature detection helpers (Debian 12/13 + containers)
 module_loaded() {
   lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
 }
 can_use_recent() {
   # xt_recent is the kernel module behind "-m recent"
   # In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
   module_loaded xt_recent && return 0
   [ -d /proc/net/xt_recent ] && return 0
   # As a last resort, ask iptables to parse the match (works if userspace has it)
   "$ipt" -m recent -h >/dev/null 2>&1 && return 0
   return 1
 }
 can_use_hashlimit() {
   # xt_hashlimit is the kernel module behind "-m hashlimit"
   module_loaded xt_hashlimit && return 0
   [ -d /proc/net/xt_hashlimit ] && return 0
   "${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
   return 1
 }
 can_use_connlimit() {
   # xt_connlimit is the kernel module behind "-m connlimit"
   module_loaded xt_connlimit && return 0
   "${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
   return 1
 }
 can_use_owner() {
   # xt_owner is the kernel module behind "-m owner"
   module_loaded xt_owner && return 0
   "${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
   return 1
 }
 can_use_ct_target() {
   # Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
   "${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
   return 1
 }
 can_use_helper_match() {
   # Check if helper match exists
   "${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
   return 1
 }
 can_use_nft() {
   command -v nft >/dev/null 2>&1 && return 0
   return 1
 }
 setup_ftp_conntrack_helper_output() {
   # Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
   if can_use_ct_target ; then
      "${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
      return 0
   fi
   # nft fallback (nft-native helper assignment); keeps us "nft-ready"
   if can_use_nft ; then
      # Best-effort; may fail in containers without CAP_NET_ADMIN
      nft add table ip fwhelper >/dev/null 2>&1 || true
      nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
      nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
      nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
   fi
   warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
   return 1
 }
 setup_ftp_conntrack_helper_prerouting() {
   # Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
   if can_use_ct_target ; then
      "$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
      return 0
   fi
   # nft fallback (nft-native helper assignment); keeps us "nft-ready"
   if can_use_nft ; then
      nft add table ip fwhelper >/dev/null 2>&1 || true
      nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
      nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
      nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
   fi
   warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
   return 1
 }
--- a/185
+++ b/185
@@ -1,14 +1,4 @@
 #!/usr/bin/env bash
 ### BEGIN INIT INFO
 # Provides:          ip6t-firewall
 # Required-Start:    $local_fs $remote_fs $syslog $network $time
 # Required-Stop:     $local_fs $remote_fs $syslog $network
 # Should-Start:
 # Should-Stop:
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: IPv6 Firewall
 ### END INIT INFO
 # -------------
@@ -28,17 +18,8 @@ conf_main=${ipt_conf_dir}/main_ipv6.conf
 conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
 conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"
 ip6t=$(which ip6tables)
 if [[ -z "$fail2ban_client" ]]; then
   fail2ban_client="$(which fail2ban-client)"
 fi
 # -------------
 # - Some checks and preloads..
 # -------------
 ip6t="$(command -v ip6tables 2>/dev/null)"
 if [[ -z "$ip6t" ]] ; then
   echo ""
@@ -49,6 +30,17 @@ if [[ -z "$ip6t" ]] ; then
   exit 1
 fi
 # -------------
 # - Load Default Settings and Functions
 # -------------
 if [[ ! -f "$conf_default_settings" ]]; then
   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
 else
   source $conf_default_settings
 fi
 if [[ ! -f "$inc_functions_file" ]] ; then
   echo ""
   echo -e "\tMissing include file '$inc_functions_file'"
@@ -61,6 +53,37 @@ else
 fi
 # -------------
 # - Some checks and preloads..
 # -------------
 # Check IPv6 presence
 if detect_ipv6; then
  IPV6_ACTIVE=1
  if has_ipv6_addr; then
   info "IPv6 enabled (global address present)."
  else
    warn "IPv6 enabled but no global address configured yet."
  fi
 else
  IPV6_ACTIVE=0
  warn "IPv6 disabled via sysctl."
 fi
 # Fail if ip6tables points to legacy (helps avoid surprises on dual-stack hosts / fail2ban)
 if command -v ip6tables >/dev/null 2>&1; then
   if ! ip6tables --version 2>/dev/null | grep -q "nf_tables"; then
      echo ""
      echo "ERROR: ip6tables is NOT using nf_tables backend (ip6tables-nft)."
      echo "Fix (on the host, as root):"
      echo "  update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
      echo ""
      echo "Current: $(ip6tables --version 2>/dev/null || echo 'unknown')"
      exit 1
   fi
 fi
 # - Check if running inside a container
 # -
 host_is_vm=false
@@ -88,22 +111,34 @@ else
 fi
-if [[ ! -f "$load_modules_file" ]] ; then
+# -------------
-   warn "No modules for loading configured. Missing file '$load_modules_file'!"
+# --- Ensure required modules for this script (best effort; host-side in containers)
 # -------------
 echo
 echononl "\tEnsure required modules are loaded.."
 if is_container ; then
   echo_skipped
 else
   echo_done
 fi
-   if ! $host_is_vm ; then
+ensure_mod nf_conntrack
 ensure_mod nf_nat
 ensure_mod nf_conntrack_ftp
 ensure_mod nf_nat_ftp
 ensure_mod xt_recent
 ensure_mod xt_hashlimit
 ensure_mod xt_connlimit
 ensure_mod xt_owner
 ensure_mod xt_helper
 ensure_mod br_netfilter
      while read -r module ; do
         if ! lsmod | grep -q -E "^$module\s+" ; then
            /sbin/modprobe  $module > /dev/null 2>&1
            if [[ "$?" != "0" ]]; then
               warn "Loading module '$module' failed!"
            fi
         fi
      done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
   fi
 # Disable automatic conntrack helper assignment (keep explicit CT --helper rules)
 if ! $host_is_vm ; then
   sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true
 fi
 if [[ ! -f "$conf_logging" ]]; then
@@ -112,12 +147,6 @@ else
   source $conf_logging
 fi
 if [[ ! -f "$conf_default_settings" ]]; then
   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
 else
   source $conf_default_settings
 fi
 if [[ ! -f "$conf_interfaces" ]]; then
   fatal "Missing interface configurations  - file '$conf_interfaces'"
 else
@@ -198,14 +227,25 @@ fi # if ! $host_is_vm
 # ------------- Stop Fail2Ban if installed -------------
 #
-if [ -x "$fail2ban_client" ]; then
+echo
-   echononl "\tStopping fail2ban.."
+echononl "\tCheck presence and configuration of Fail2ban .."
-   $fail2ban_client stop > /dev/null 2>&1
+echo_done
-   if [ "$?" = "0" ];then
+if ! has_fail2ban ; then
-      echo_done
+   warn "Fail2ban is not installed.."
 elif ! fail2ban_running ; then
   warn "Fail2ban is installed but not running.."
 else
   CURRENT_BANACTION=$(grep -E '^\s*banaction\s*=' "$FAIL2BAN_CONFIG_FILE" | head -1 | tr -d ' ' | cut -d'=' -f2)
   if [[ -n ${CURRENT_BANACTION} ]] ; then
      if [ "$CURRENT_BANACTION" = "nftables" ]; then
         info "Fail2ban is running, banaction is et to nftables."
      else
-      echo_warning
+         warn "Change banaction from ${CURRENT_BANACTION} to \033[1mbanaction=nftables\033[m"
      fi
   else
      warn "banaction seems not to be configured. Take care that \033[1mbanaction=nftables\033[m"
   fi
   FAIL2BAN_WAS_RUNNING=true
 fi
 #
 # ------------- Ende: Stop Fail2Ban if installed -------------
@@ -708,14 +748,12 @@ echo_done
 # ---
 echononl "\tDrop all ICMP traffic.."
 echo_skipped
 if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
-   if $log_rejected || $log_all ; then
+
-      $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
+   warn " No ICMPv6 packets were dropped - they are essential."
-   fi
+
   $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j DROP
   echo_done
 else
   echo_skipped
 fi
@@ -858,6 +896,28 @@ fi
 echo_done
 echononl "\tICMPv6 - mandatory for IPv6 to work correctly!"
 # ICMPv6 essentials (numbers to be compatible with ip6tables-nft)
 # 1  = destination-unreachable
 # 2  = packet-too-big
 # 3  = time-exceeded
 # 4  = parameter-problem
 # 128= echo-request
 # 129= echo-reply
 # 133= router-solicitation
 # 134= router-advertisement
 # 135= neighbor-solicitation
 # 136= neighbor-advertisement
 for t in 1 2 3 4 128 129 133 134 135 136; do
   $ip6t -A INPUT  -p ipv6-icmp --icmpv6-type $t -j ACCEPT
   $ip6t -A OUTPUT -p ipv6-icmp --icmpv6-type $t -j ACCEPT
   if $kernel_forward_between_interfaces ; then
      $ip6t -A FORWARD -p  ipv6-icmp --icmpv6-type "$t" -j ACCEPT
   fi
 done
 echo_done
 # ---
 # - Protection against syn-flooding
@@ -2836,20 +2896,31 @@ echo_done
 # -------------
-# ------------- Start Fail2Ban if installed
+# ------------- Reload Fail2Ban if installed
 # -------------
-if [ -x "$fail2ban_client" ]; then
+if ${FAIL2BAN_WAS_RUNNING}; then
   echo
-   echononl "\tStarting fail2ban.."
+   echononl "\tReloading fail2ban.."
-   $fail2ban_client start > /dev/null 2>&1
+   $fail2ban_client reload > /dev/null 2>&1
-   if [ "$?" = "0" ];then
+   if [ "$?" = "0" ]; then
      echo_done
   else
-      echo_failed
+      # Fallback: reload + restart jails if needed
      $fail2ban_client reload --restart > /dev/null 2>&1
      if [ "$?" = "0" ]; then
         echo_done
      else
         echo_skipped
         warn "Fail2ban reload failed. Leaving fail2ban unchanged. Check: fail2ban-client -d and /var/log/fail2ban.log"
      fi
   fi
 else
   # fail2ban not running before; do not start it here
   :
 fi
 echo
 exit 0
--- a/635
+++ b/635
Author	SHA1	Message	Date
Christoph	b35a3f3261	Prepare ip6t-firewall-server for making nftables ready later on.	2026-01-14 17:47:53 +01:00
Christoph	cea43cd7fa	Make IPv4 firewall nftables ready.	2026-01-14 17:46:20 +01:00