linse/boxtools
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix nftables (firewall) mechanism

Browse Source
This commit is contained in:
zolliker
2024-03-05 11:16:27 +01:00
parent 42d80f9567
commit 6f025880ce
3 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
install.py
View File

@ -149,6 +149,7 @@ def router(**opts):
if not opts: if not opts:
return None return None
try: try:
os.remove(join(TOOLS, 'to_system/etc/nftables.conf'))
with open(f'{TOOLS}/requirements.txt') as f: with open(f'{TOOLS}/requirements.txt') as f:
pip_requirements['root']['tools'] = f.read() pip_requirements['root']['tools'] = f.read()
except FileNotFoundError: except FileNotFoundError:
@ -193,7 +194,7 @@ def pip():
os.remove(tmpname) os.remove(tmpname)
else: else:
print(pipcmd) print(pipcmd)
# unix_cmd(pipcmd, stdout=None) unix_cmd(pipcmd, stdout=None)
show.dirty = True show.dirty = True
@ -506,7 +507,7 @@ def handle_config():
if parser.has_section(section): if parser.has_section(section):
servicecfg = service_func(**dict(parser[section])) servicecfg = service_func(**dict(parser[section]))
else: else:
servicecfg = None servicecfg = service_func() # allow to handle missing service
result = unix_cmd('systemctl show -p WantedBy -p ActiveState %s' % service, True) result = unix_cmd('systemctl show -p WantedBy -p ActiveState %s' % service, True)
active = False active = False
enabled = False enabled = False
@ -522,6 +523,12 @@ def handle_config():
if enabled: if enabled:
unix_cmd('systemctl disable %s' % service) unix_cmd('systemctl disable %s' % service)
show.dirty = True show.dirty = True
if service == 'router' and active or enabled:
if doit:
shutil.copy(join(TOOLS, 'nftables.conf'), '/etc/nftables.conf')
else:
print('cp nftables.conf /etc/nftables.conf')
unix_cmd('systemctl restart nftables')
else: else:
if not enabled: if not enabled:
to_start[service] = 'enable' to_start[service] = 'enable'

25
nftables.conf Normal file
View File

@ -0,0 +1,25 @@
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
tcp dport { 22 } ct state new accept
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
# count and drop any other traffic
counter drop
}
}

3
router.py
View File

@ -423,7 +423,8 @@ class Service:
with open('f{FIREWALL_CONF}.tmp', 'w') as f: with open('f{FIREWALL_CONF}.tmp', 'w') as f:
f.write(content.replace(prevline, line)) f.write(content.replace(prevline, line))
os.rename('f{FIREWALL_CONF}.tmp', FIREWALL_CONF) os.rename('f{FIREWALL_CONF}.tmp', FIREWALL_CONF)
unix_cmd('systemctl enable --now nftables') unix_cmd('systemctl restart nftables')
unix_cmd('systemctl enable nftables')
else: else:
print('need sudo rights to modify firewall') print('need sudo rights to modify firewall')