nsinnovations/fusionpbx-install.sh
Public Access
2
0
Fork 0
forked from norman/fusionpbx-install.sh-github-mirror
Code Pull Requests Activity

Update nftables configuration and installation script

Browse Source 
This script now installs nftables, removes iptables, and configures nftables rules in /etc/nftables.conf.
This commit is contained in:
FusionPBX
2025-12-30 17:32:28 -07:00
committed by GitHub
parent 25c25e64db
commit e7ee4a3128
1 changed files with 101 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
debian/resources/nftables.sh vendored
View File

@@ -11,20 +11,107 @@ cd "$(dirname "$0")"
#send a message #send a message
verbose "Configuring nftables" verbose "Configuring nftables"
#download the latest package index
apt update
#install nftables
apt install nftables -y
#remove iptables
apt purge iptables-persistent -y
rm -rf /etc/iptables
#run iptables commands #run iptables commands
nft add rule ip filter INPUT iifname "lo" counter accept cat << EOF > /etc/nftables.conf
nft add rule ip filter INPUT ct state related,established counter accept #!/usr/sbin/nft -f
nft add rule ip filter INPUT tcp dport 22 counter accept
nft add rule ip filter INPUT tcp dport 80 counter accept
nft add rule ip filter INPUT tcp dport 443 counter accept
nft add rule ip filter INPUT tcp dport 7443 counter accept
nft add rule ip filter INPUT tcp dport 5060-5091 counter accept
nft add rule ip filter INPUT udp dport 5060-5091 counter accept
nft add rule ip filter INPUT udp dport 16384-32768 counter accept
nft add rule ip filter INPUT icmp type echo-request counter accept
nft add rule ip filter INPUT udp dport 1194 counter accept
nft add rule ip mangle OUTPUT udp sport 16384-32768 counter ip dscp set 0x2e
nft add rule ip mangle OUTPUT tcp sport 5060-5091 counter ip dscp set 0x1a
nft add rule ip mangle OUTPUT udp sport 5060-5091 counter ip dscp set 0x1a
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# Block specific IP addresses
#ip saddr 10.1.0.3 drop
# Allow loopback interface traffic
iifname "lo" counter accept
# Accept related and established connections
ct state related,established counter accept
# Allow SSH port
tcp dport 22 counter accept
# Allow HTTP/HTTPS
tcp dport {80,443} counter accept
# Secure Websocket port
tcp dport 7443 counter accept
# Allow SIP ports
tcp dport 5060-5091 counter accept
udp dport 5060-5091 counter accept
# Allow RTP Media ports
udp dport 16384-32768 counter accept
# Accept ICMP echo requests (ping)
icmp type echo-request counter accept
# Allow OpenVPN port
udp dport 1194 counter accept
# Allow ICMP accept
icmp type echo-request counter accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
chain sip-auth-ip {
type filter hook input priority -50;
policy accept;
# Block specific IP addresses
#ip saddr 10.1.0.3 counter drop
}
chain sip-auth-fail {
type filter hook input priority -50;
policy accept;
}
}
table inet mangle {
chain output {
type route hook output priority -150;
# Set DSCP value for TCP and UDP traffic from source ports
tcp sport 5060-5091 counter ip dscp set 0x1a
udp sport 5060-5091 counter ip dscp set 0x1a
# Set DSCP value for UDP traffic from source ports
udp sport 16384-32768 counter ip dscp set 0x2e
policy accept;
}
}
EOF
#enable nftables and start the service
systemctl enable nftables
systemctl start nftables
#load the nftable configuration
nft -f /etc/nftables.conf