forked from norman/fusionpbx-install.sh-github-mirror
115 lines
2.4 KiB
Bash
Executable File
115 lines
2.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
#move to script directory so all relative paths work
|
|
cd "$(dirname "$0")"
|
|
|
|
#add the includes
|
|
. ./config.sh
|
|
. ./colors.sh
|
|
. ./environment.sh
|
|
|
|
#send a message
|
|
verbose "Configuring nftables"
|
|
|
|
#download the latest package index
|
|
apt update
|
|
|
|
#install nftables
|
|
apt install nftables -y
|
|
|
|
#remove iptables
|
|
apt purge iptables-persistent -y
|
|
rm -rf /etc/iptables
|
|
|
|
#run iptables commands
|
|
cat << EOF > /etc/nftables.conf
|
|
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
# Block specific IP addresses
|
|
#ip saddr 10.1.0.3 drop
|
|
|
|
# Allow loopback interface traffic
|
|
iifname "lo" counter accept
|
|
|
|
# Accept related and established connections
|
|
ct state related,established counter accept
|
|
|
|
# Allow SSH port
|
|
tcp dport 22 counter accept
|
|
|
|
# Allow HTTP/HTTPS
|
|
tcp dport {80,443} counter accept
|
|
|
|
# Secure Websocket port
|
|
tcp dport 7443 counter accept
|
|
|
|
# Allow SIP ports
|
|
tcp dport 5060-5091 counter accept
|
|
udp dport 5060-5091 counter accept
|
|
|
|
# Allow RTP Media ports
|
|
udp dport 16384-32768 counter accept
|
|
|
|
# Accept ICMP echo requests (ping)
|
|
icmp type echo-request counter accept
|
|
|
|
# Allow OpenVPN port
|
|
udp dport 1194 counter accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy drop;
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy accept;
|
|
}
|
|
|
|
chain sip-auth-ip {
|
|
type filter hook input priority -50;
|
|
policy accept;
|
|
|
|
# Block specific IP addresses
|
|
#ip saddr 10.1.0.3 counter drop
|
|
}
|
|
|
|
chain sip-auth-fail {
|
|
type filter hook input priority -50;
|
|
policy accept;
|
|
}
|
|
|
|
}
|
|
|
|
table inet mangle {
|
|
chain output {
|
|
type route hook output priority -150;
|
|
|
|
# Set DSCP value for TCP and UDP traffic from source ports
|
|
tcp sport 5060-5091 counter ip dscp set 0x1a
|
|
udp sport 5060-5091 counter ip dscp set 0x1a
|
|
|
|
# Set DSCP value for UDP traffic from source ports
|
|
udp sport 16384-32768 counter ip dscp set 0x2e
|
|
|
|
policy accept;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
#enable nftables and start the service
|
|
systemctl enable nftables
|
|
systemctl start nftables
|
|
|
|
#load the nftable configuration
|
|
nft -f /etc/nftables.conf
|
|
|