nftables install option

debian/install.sh

@@ -38,6 +38,9 @@ echo "set mouse-=a" >> ~/.vimrc
 #IPTables
 resources/iptables.sh
 
+#NFTables
+#resources/nftables.sh
+
 #sngrep
 resources/sngrep.sh
 

debian/resources/config.sh

@@ -27,7 +27,7 @@ database_port=5432                          # port number
 database_backup=false                       # true or false
 
 # General Settings
-php_version=8.2                             # PHP version 8.3, 8.2, 8.1
+php_version=8.4                             # PHP version 8.4, 8.3, 8.2, 8.1
 letsencrypt_folder=true                     # true or false
 
 # Optional Applications

debian/resources/fail2ban.sh

@@ -8,6 +8,8 @@ cd "$(dirname "$0")"
 . ./colors.sh
 . ./environment.sh
 
+FILE_PATH="/etc/iptables/rules.v4"
+
 #send a message
 verbose "Installing Fail2ban"
 
@@ -26,7 +28,17 @@ cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf
 cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf
 cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf
 cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf
-cp fail2ban/jail.local /etc/fail2ban/jail.local
+if [ ! -f "$FILE_PATH" ]; then
+    echo "Found nftables to be chosen, configuring system for nftables."
+    cp fail2ban/jail.local.nft /etc/fail2ban/jail.local
+    sed -i 's/iptables/nftables/g' /etc/fail2ban/jail.conf
+    else
+    echo "Default iptables was installed."
+    cp fail2ban/jail.local /etc/fail2ban/jail.local
+fi
+
+
+
 
 #update config if source is being used
 #if [ .$switch_source = .true ]; then

debian/resources/fail2ban/jail.local.nft

@@ -0,0 +1,151 @@
+[DEFAULT]
+# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
+#findtime = 10m           #Default Value on jail.conf. Uncomment this to use another value.
+#bantime  = 10m           #Default Value on jail.conf. Uncomment this to use another value. 
+#maxretry = 5             #Default Value on jail.conf. Uncomment this to use another value.
+#ignoreip = ip/subnet ip/subnet     #Uncomment and add IPs and subnets you don't wish to ban.
+# Save your modified copy of this for future use as a drop-in replacement.
+
+[ssh]
+enabled  = true
+port     = 22
+protocol = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+action   = nftables-allports[name=sshd, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 86400
+
+[freeswitch]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=freeswitch, protocol=all]
+maxretry = 10
+findtime = 60
+bantime  = 3600
+#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
+
+[freeswitch-acl]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-acl
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=freeswitch-acl, protocol=all]
+maxretry = 900
+findtime = 60
+bantime  = 86400
+
+[freeswitch-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=freeswitch-ip, protocol=all]
+maxretry = 1
+findtime = 60
+bantime  = 86400
+
+[auth-challenge-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = auth-challenge-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=auth-challenge-ip, protocol=all]
+maxretry = 1
+findtime = 60
+bantime  = 86400
+
+[sip-auth-challenge]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-challenge
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=sip-auth-challenge, protocol=all]
+maxretry = 100
+findtime = 60
+bantime  = 7200
+
+[sip-auth-failure]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-failure
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=sip-auth-failure, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 7200
+
+[fusionpbx-404]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = fusionpbx-404
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = nftables-allports[name=fusionpbx-404, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 86400
+
+[fusionpbx]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx
+logpath  = /var/log/auth.log
+action   = nftables-allports[name=fusionpbx, protocol=all]
+#          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 20
+findtime = 60
+bantime  = 3600
+
+[fusionpbx-mac]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx-mac
+logpath  = /var/log/syslog
+action   = nftables-allports[name=fusionpbx-mac, protocol=all]
+#          sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 10
+findtime = 60
+bantime  = 86400
+
+[nginx-404]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-404
+logpath  = /var/log/nginx/access*.log
+action   = nftables-allports[name=nginx-404, protocol=all]
+bantime  = 3600
+findtime = 60
+maxretry = 300
+
+[nginx-dos]
+# Based on apache-badbots but a simple IP check (any IP requesting more than
+# 300 pages in 60 seconds, or 5p/s average, is suspicious)
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-dos
+logpath  = /var/log/nginx/access*.log
+action   = nftables-allports[name=nginx-dos, protocol=all]
+findtime = 60
+bantime  = 86400
+maxretry = 800

debian/resources/iptables.sh

@@ -27,6 +27,11 @@ if [ ."$os_codename" = ."bookworm" ]; then
 	update-alternatives --set iptables /usr/sbin/iptables-legacy
 	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 fi
+if [ ."$os_codename" = ."trixie" ]; then
+	apt-get install -y iptables
+	update-alternatives --set iptables /usr/sbin/iptables-legacy
+	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+fi
 
 #remove ufw
 ufw reset

debian/resources/php.sh

@@ -105,7 +105,7 @@ else
 		fi
 	fi
  	if [ ."$os_codename" = ."trixie" ]; then
-		if [ ."$php_version" = ."8.2" ]; then
+		if [ ."$php_version" = ."8.4" ]; then
 			/usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2
 			/usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg
    			/usr/bin/chmod 644 /etc/apt/keyrings/sury-php-8.x.gpg