From e7ee4a3128edff583478f85ec56fcb6e37a0b551 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Tue, 30 Dec 2025 17:32:28 -0700
Subject: [PATCH] Update nftables configuration and installation script

This script now installs nftables, removes iptables, and configures nftables rules in /etc/nftables.conf.
---
 debian/resources/nftables.sh | 115 ++++++++++++++++++++++++++++++-----
 1 file changed, 101 insertions(+), 14 deletions(-)

diff --git a/debian/resources/nftables.sh b/debian/resources/nftables.sh
index 4729c38..47e7b8c 100755
--- a/debian/resources/nftables.sh
+++ b/debian/resources/nftables.sh
@@ -11,20 +11,107 @@ cd "$(dirname "$0")"
 #send a message
 verbose "Configuring nftables"
 
+#download the latest package index
+apt update
+
+#install nftables
+apt install nftables -y
+
+#remove iptables
+apt purge iptables-persistent -y
+rm -rf /etc/iptables
+
 #run iptables commands
-nft add rule ip filter INPUT iifname "lo" counter accept
-nft add rule ip filter INPUT ct state related,established  counter accept
-nft add rule ip filter INPUT tcp dport 22 counter accept
-nft add rule ip filter INPUT tcp dport 80 counter accept
-nft add rule ip filter INPUT tcp dport 443 counter accept
-nft add rule ip filter INPUT tcp dport 7443 counter accept
-nft add rule ip filter INPUT tcp dport 5060-5091 counter accept
-nft add rule ip filter INPUT udp dport 5060-5091 counter accept
-nft add rule ip filter INPUT udp dport 16384-32768 counter accept
-nft add rule ip filter INPUT icmp type echo-request counter accept
-nft add rule ip filter INPUT udp dport 1194 counter accept
-nft add rule ip mangle OUTPUT udp sport 16384-32768 counter ip dscp set 0x2e
-nft add rule ip mangle OUTPUT tcp sport 5060-5091 counter ip dscp set 0x1a
-nft add rule ip mangle OUTPUT udp sport 5060-5091 counter ip dscp set 0x1a
+cat << EOF > /etc/nftables.conf
+#!/usr/sbin/nft -f
 
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+        # Block specific IP addresses
+        #ip saddr 10.1.0.3 drop
+
+        # Allow loopback interface traffic
+        iifname "lo" counter accept
+
+        # Accept related and established connections
+        ct state related,established counter accept
+
+        # Allow SSH port
+        tcp dport 22 counter accept
+
+        # Allow HTTP/HTTPS
+        tcp dport {80,443} counter accept
+
+        # Secure Websocket port
+        tcp dport 7443 counter accept
+
+        # Allow SIP ports
+        tcp dport 5060-5091 counter accept
+        udp dport 5060-5091 counter accept
+
+        # Allow RTP Media ports
+        udp dport 16384-32768 counter accept
+
+        # Accept ICMP echo requests (ping)
+        icmp type echo-request counter accept
+
+        # Allow OpenVPN port
+        udp dport 1194 counter accept
+
+        # Allow ICMP accept
+        icmp type echo-request counter accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+
+        chain sip-auth-ip {
+                type filter hook input priority -50;
+                policy accept;
+
+                # Block specific IP addresses
+                #ip saddr 10.1.0.3 counter drop
+        }
+
+        chain sip-auth-fail {
+                type filter hook input priority -50;
+                policy accept;
+        }
+
+}
+
+table inet mangle {
+    chain output {
+        type route hook output priority -150;
+
+        # Set DSCP value for TCP and UDP traffic from source ports
+        tcp sport 5060-5091 counter ip dscp set 0x1a
+        udp sport 5060-5091 counter ip dscp set 0x1a
+
+        # Set DSCP value for UDP traffic from source ports
+        udp sport 16384-32768 counter ip dscp set 0x2e
+
+        policy accept;
+    }
+}
+EOF
+
+#enable nftables and start the service
+systemctl enable nftables
+systemctl start nftables
+
+#load the nftable configuration
+nft -f /etc/nftables.conf