+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: nftables.sh
+# Required-Start: $remote_fs $network
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: nftables firewall
+### END INIT INFO
+
+# Setup ip firewall
+
+. /etc/network/functions.phd
+
+case "$1" in
+ start)
+ systemctl stop fail2ban.service
+
+ # Start afresh
+ nft flush
+
+ # Default policies
+ nft create table ip filter
+ nft create table ip nat
+ nft create chain ip nat prerouting { type nat hook preroutung priority 0; policy accept; }
+ nft create chain ip nat postrouting { type nat hook postroutung priority 0; policy accept; }
+ nft create chain ip filter input { type filter hook input priority 0; policy drop; }
+ nft create chain ip filter output { type filter hook output priority 0; policy accept; }
+ nft create chain ip filter forward { type filter hook forward priority 0; policy drop; }
+
+ start_firewall
+ /etc/rc.d/init.d/rc.masq
+ systemctl start fail2ban.service
+ ;;
+
+ stop)
+ systemctl stop fail2ban.service
+
+ nft flush
+ nft create chain ip filter input { type filter hook input priority 0; policy drop; }
+ nft create chain ip filter output { type filter hook output priority 0; policy drop; }
+ nft create chain ip filter forward { type filter hook forward priority 0; policy drop; }
+ ;;
+
+ clear)
+ systemctl stop fail2ban.service
+
+ # Flush (delete) all rules
+ nft flush
+ nft create chain ip filter input { type filter hook input priority 0; policy accept; }
+ nft create chain ip filter output { type filter hook output priority 0; policy accept; }
+ nft create chain ip filter forward { type filter hook forward priority 0; policy accept; }
+ ;;
+
+ *)
+ echo "Usage: firewall {start|stop|clear}"
+ exit 1
+esac
+
+exit 0