#!/bin/bash if [ "$1" == 'debug' ]; then set -x; shift; fi if [ "$1" == 'debug2' ]; then set -xvT; shift; fi # # - FillFW - (IPSETs) # - NFT version # Have a loadfile created by each module or dynloader # and load the firewall from this information # #------------------------ REALPATH=`realpath $0` WHERE=`dirname $REALPATH` ME=`basename $REALPATH` cd $WHERE . system.conf . watcher.conf . common.conf . common.bashlib . api/bash/nft.bashlib #------------------------ logger "$ME[$$]: Started (re)loading firewall ..." if [ $FIREWALL == "firewalld" ] then CHAINS="filter_IN_public filter_FWD_public" else CHAINS="allow" fi # # First of all prepare watcher chains in the firewall # nft add chain "$NFT_BASE_TAB" watcher-blackhole for ch in $CHAINS do nft insert rule "$NFT_BASE_TAB" $ch jump watcher-blackhole done # # Request load information from dynloaders & modules # dynloader and modules create their sets 'on-the-fly' # . loader.conf # # whitelist MUST COME FIRST with 'nftables' # The manual 'whitelist' has highest precedence and must come FIRST # # nft_mkset whitelist "ipv4_addr; flags interval;" "comment whitelist;" Whitelist # Whitelist does it all # Establish link with internal set DROP lists # Modules & Dynloaders do this 'on the fly' # --------------------- SETTYP SETOPTS nft_mkset tarpit "ipv4_addr;" "flags timeout; timeout 60s;" nft_mkset custody "ipv4_addr;" "flags interval;" nft_mkset hijackers "ipv4_addr;" "flags interval;" # # Fill in local blacklist # # The manual 'blacklist' has lowest precedence and must come LAST # #nft_mkset blacklist "ipv4_addr; flags interval;" "comment blacklist;" #OPTBLACKS=`ls -1 blacklist.* 2>/dev/null` #for list in blacklist # `echo $OPTBLACKS` # no multiple blacklists for now #do # LOADFILE=$POOL'/nftset.Loadfile-'$list # echo "add set $NFT_BASE_TAB $list {type ipv4_addr; flags interval; }" > $LOADFILE # # awk -v list=$list -v loadfile="$LOADFILE" -v basetable="$NFT_BASE_TAB" ' # /^$/ { next } # /^[ \t]*[#]/ { next } # { IP[$1]=$1 } # END { # for ( ip in IP ) { # printf "add element %s %s { %s comment blacklisted }\n", basetable, list, ip >> loadfile # } # } # ' $list # # if nft_sets | grep -q $list # then nft_flush_set $list # fi # # nft -f $LOADFILE #done Blacklist # Blacklist does it all # A dummy IPSET for validation of IP addresses (needed for DEBIAN/UBUNTU) # Establish a dummy ipset just for ip addr validation # but DON'T CONNECT THIS WITH IPTABLES! # i.e. don't use 'nft-mset' which automatically links the set! # Just 'add' elements and verify the return code #ipset -exist create validate 'hash:net' comment timeout 1 nft add set $NFT_BASE_TAB validate "{ type ipv4_addr; flags timeout; timeout 1s;}" logger "$ME[$$]: Finished - Firewall (re)loaded"