firewall/nft-nd-priv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fea1d9fdc00ee43e74904e32fb3bd04ee324e0f3
nft-nd-priv/bin/fw-apply
Christoph fea1d9fdc0 initial commit
2025-12-27 19:23:42 +01:00

156 lines
3.7 KiB
Bash
Executable File
Raw Blame History

#!/usr//bin/env bash
set -euo pipefail
########################
# Args
########################
DO_APPLY=true
if [[ "${1:-}" == "--check" ]]; then
DO_APPLY=false
elif [[ "${1:-}" != "" ]]; then
echo "Usage: $0 [--check]" >&2
exit 2
fi
########################
# Defaults
########################
EXT_IF="eth0"
PRIV_IF="enp7s0"
PRIV_NET="172.20.0.0/21"
ALLOW_SSH_PUBLIC_IN=false
ALLOW_APT_PUBLIC_OUT=false
ALLOW_ICMP4_PUBLIC=true
ALLOW_ICMP6_PUBLIC=true
########################
# Optional config file
########################
CFG="/etc/default/nft-fw"
if [[ -r "$CFG" ]]; then
# shellcheck disable=SC1090
source "$CFG"
fi
########################
# Normalize booleans
########################
normalize_bool() {
# trim whitespace + remove CR (Windows line endings)
local v
v="$(printf '%s' "${1:-}" | tr -d '\r' | xargs)"
case "${v,,}" in
true|yes|1) echo true ;;
false|no|0|"") echo false ;;
*) echo false ;;
esac
}
ALLOW_ICMP4_PUBLIC="$(normalize_bool "${ALLOW_ICMP4_PUBLIC:-true}")"
ALLOW_ICMP6_PUBLIC="$(normalize_bool "${ALLOW_ICMP6_PUBLIC:-true}")"
ALLOW_SSH_PUBLIC_IN="$(normalize_bool "${ALLOW_SSH_PUBLIC_IN:-false}")"
ALLOW_APT_PUBLIC_OUT="$(normalize_bool "${ALLOW_APT_PUBLIC_OUT:-false}")"
NEED_EXT=false
if [[ "$ALLOW_SSH_PUBLIC_IN" == "true" || "$ALLOW_APT_PUBLIC_OUT" == "true" || "$ALLOW_ICMP4_PUBLIC" == "true" || "$ALLOW_ICMP6_PUBLIC" == "true" ]]; then
NEED_EXT=true
fi
EFFECTIVE_ALLOW_ICMP6_PUBLIC="$ALLOW_ICMP6_PUBLIC"
if [[ "$NEED_EXT" == "true" ]]; then
EFFECTIVE_ALLOW_ICMP6_PUBLIC=true
fi
########################
# Build optional rule blocks
########################
ICMP_PUBLIC_IN_RULES=""
ICMP_PUBLIC_OUT_RULES=""
SSH_PUBLIC_IN_RULE=""
APT_PUBLIC_OUT_RULES=""
# ICMPv4 optional
if [[ "$ALLOW_ICMP4_PUBLIC" == "true" ]]; then
ICMP_PUBLIC_IN_RULES="$(cat <<EOF
iif "$EXT_IF" ip protocol icmp accept
EOF
)"
ICMP_PUBLIC_OUT_RULES="$(cat <<EOF
oif "$EXT_IF" ip protocol icmp accept
EOF
)"
fi
# ICMPv6 optional (oder erzwungen über EFFECTIVE_ALLOW_ICMP6_PUBLIC)
if [[ "$EFFECTIVE_ALLOW_ICMP6_PUBLIC" == "true" ]]; then
# Falls schon was drin ist, füge sauber eine Leerzeile/Zeilenumbruch hinzu
[[ -n "$ICMP_PUBLIC_IN_RULES" ]] && ICMP_PUBLIC_IN_RULES+=$'\n'
[[ -n "$ICMP_PUBLIC_OUT_RULES" ]] && ICMP_PUBLIC_OUT_RULES+=$'\n'
ICMP_PUBLIC_IN_RULES+=$(cat <<EOF
iif "$EXT_IF" ip6 nexthdr icmpv6 accept
EOF
)
ICMP_PUBLIC_OUT_RULES+=$(cat <<EOF
oif "$EXT_IF" ip6 nexthdr icmpv6 accept
EOF
)
fi
if [[ "$ALLOW_SSH_PUBLIC_IN" == "true" ]]; then
SSH_PUBLIC_IN_RULE="$(cat <<EOF
iif "$EXT_IF" tcp dport 22 accept
EOF
)"
fi
if [[ "$ALLOW_APT_PUBLIC_OUT" == "true" ]]; then
APT_PUBLIC_OUT_RULES="$(cat <<EOF
oif "$EXT_IF" udp dport 53 accept
oif "$EXT_IF" tcp dport 53 accept
oif "$EXT_IF" tcp dport { 80, 443 } accept
EOF
)"
fi
export EXT_IF PRIV_IF PRIV_NET
export ICMP_PUBLIC_IN_RULES ICMP_PUBLIC_OUT_RULES
export SSH_PUBLIC_IN_RULE APT_PUBLIC_OUT_RULES
########################
# Render
########################
TMP="$(mktemp -p /run nft-fw.XXXXXX)"
trap 'rm -f "$TMP"' EXIT
envsubst < /etc/nftables.conf.in > "$TMP"
########################
# Remove only our table (do NOT touch fail2ban)
########################
nft delete table inet fw_static 2>/dev/null || true
########################
# Validate + apply
########################
nft -c -f "$TMP"
if [[ "$DO_APPLY" == "true" ]]; then
nft -f "$TMP"
install -m 600 "$TMP" /etc/nftables.conf
else
echo ""
echo " fw-apply: check mode"
[[ -r "$CFG" ]] && echo " - config loaded: $CFG" || echo " - config loaded: defaults only"
echo " - rendered nftables ruleset: OK"
echo " - syntax check (nft -c): OK"
echo " - no changes applied"
echo ""
fi
Reference in New Issue View Git Blame Copy Permalink