Feat(firewall): Switch to `nftables`

[ansible.git] / playbooks / roles / redhat / firewall / files / etc / rc.d / init.d / nftables.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nftables.sh
# Required-Start: $remote_fs $network
# Required-Stop:  $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: nftables firewall
### END INIT INFO

# Setup ip firewall

. /etc/network/functions.phd

case "$1" in
   start)
      systemctl stop fail2ban.service

      # Start afresh
      nft flush

      # Default policies
      nft create table ip filter
      nft create table ip nat
      nft create chain ip nat prerouting { type nat hook preroutung priority 0; policy accept; }
      nft create chain ip nat postrouting { type nat hook postroutung priority 0; policy accept; }
      nft create chain ip filter input { type filter hook input priority 0; policy drop; }
      nft create chain ip filter output { type filter hook output priority 0; policy accept; }
      nft create chain ip filter forward { type filter hook forward priority 0; policy drop; }

      start_firewall
      /etc/rc.d/init.d/rc.masq
      systemctl start fail2ban.service
   ;;

   stop)
      systemctl stop fail2ban.service

      nft flush
      nft create chain ip filter input { type filter hook input priority 0; policy drop; }
      nft create chain ip filter output { type filter hook output priority 0; policy drop; }
      nft create chain ip filter forward { type filter hook forward priority 0; policy drop; }
   ;;

   clear)
      systemctl stop fail2ban.service

      # Flush (delete) all rules
      nft flush
      nft create chain ip filter input { type filter hook input priority 0; policy accept; }
      nft create chain ip filter output { type filter hook output priority 0; policy accept; }
      nft create chain ip filter forward { type filter hook forward priority 0; policy accept; }
   ;;

   *)
      echo "Usage: firewall {start|stop|clear}"
      exit 1
esac

exit 0