#!/bin/bash if [[ "$1" == 'debug' ]]; then set -x; _DEBUG=$1; shift; fi if [[ "$1" == 'debug2' ]]; then set -xvT; _DEBUG=$1; shift; fi if [[ "$1" == 'trace' ]]; then _TRACE=$1; shift; fi #################################################################### # - FillFW - NFT # Have a loadfile created by each module or dynloader # and load the firewall from this information # #------------------------ REALPATH=`realpath $0` WHERE=`dirname $REALPATH` ME=`basename $REALPATH` cd $WHERE # ------- Core stuff ---- . system.conf . watchermap.conf . common.conf . common.bashlib # ------- API stuff ----- . api/bash/nft.bashlib #------------------------ logger "$ME[$$]: Started (re)loading firewall ..." # # Load NFTSET information from dynloaders, modules and internal lists # . loader.conf export ACCEPTS="|whitelist|passthru|" # # Establish link with internal ipset DROP lists # Modules & Dynloaders do this 'on the fly' # NOTE: mk-ipset always creates DROP set # !!! Don't use for the whitelist !!! #mk-ipset tarpit 'hash:ip' 'comment counters timeout 60' #mk-ipset custody 'hash:net' 'comment counters' #mk-ipset hijackers 'hash:net' 'comment counters' #mk-ipset blacklist 'hash:net' 'comment counters' #mk-ipset Untreated 'hash:net' 'comment counters timeout 21600' nft_mkset tarpit "ipv4_addr;" "flags timeout; timeout 60s;" drop nft_mkset custody "ipv4_addr;" "flags interval;" drop nft_mkset hijackers "ipv4_addr;" "flags interval;" drop # Special ACCEPT IPSETs ... # Establish link with ipset 'passthru' # THIS MUST COME LAST to go on top in iptables as 'ACCEPT'!!!) # #ipset -exist create passthru 'hash:net' 'comment' 'counters' #if ! $IPTABLES -nL INPUT | grep "match-set passthru" | grep -q ACCEPT #then # $IPTABLES -t filter -I INPUT -m set --match-set passthru src -j ACCEPT # $IPTABLES -t filter -I FORWARD -m set --match-set passthru src -j ACCEPT #else : echo "IPSET 'passthru' already establishedi ... skipping" #fi nft_mkset passthru "ipv4_addr;" "flags interval;" accept # A dummy IPSET for validation of IP addresses (needed for DEBIAN/UBUNTU) # Establish a dummy ipset just for ip addr validation # # --- DON'T CONNECT THIS WITH IPTABLES! --- # Just 'add' and verify the return code # ipset -exist create validate 'hash:net' comment timeout 1 # ipset -exist create validate 'hash:net' comment timeout 1 nft add set "$NFT_BASE_TAB" validate4 '{ type ipv4_addr; flags timeout; timeout 1s;}' nft add set "$NFT_BASE_TAB" validate6 '{ type ipv6_addr; flags timeout; timeout 1s;}' logger "$ME[$$]: Finished - Firewall (re)loaded"