initrd nftables service

random-archer / mkinitcpio-systemd-tool

Provisioning tool for systemd in initramfs (systemd-tool)

https://www.archlinux.org/packages/community/any/mkinitcpio-systemd-tool/

Other

113 stars 27 forks source link

initrd nftables service #56

Closed Andrei-Pozolotin closed 4 years ago

Andrei-Pozolotin commented 4 years ago

firewall inside initramfs: initrd-nftables.service many thanks to @vvl-rulez Vladislav, see: #53 #55

# Provides firewall when running inside initrd
# see: https://wiki.archlinux.org/index.php/Nftables

vaminakov commented 4 years ago

@vvl-rulez please review and test on live system #56

I've checked the code, seems all is okay. To test in on system I need actual PKGBUILD - do you have it? https://aur.archlinux.org/mkinitcpio-systemd-tool.git is so old.

Andrei-Pozolotin commented 4 years ago

I've checked the code, seems all is okay.

thank you

I need actual PKGBUILD

you did review, right? :-) well, then you missed it: PKGBUILD

usage:

cd /tmp
git clone git@github.com:random-archer/mkinitcpio-systemd-tool.git
cd mkinitcpio-systemd-tool
git fetch origin pull/56/head:vvl-nftables
git checkout vvl-nftables
ls -las
makepkg -e
sudo pacman -U *.pkg.tar.xz

vaminakov commented 4 years ago

well, then you missed it: PKGBUILD

Oh, really, sorry.

Package compiling successfull, but service at boot have some problems: First, Error: Could not process rule: Operation not supported I solved it by editing InitrdCall=add_all_modules /netfilter/nft_* to InitrdCall=add_all_modules /netfilter/nf_tables*

Now left errors like Could not process rule: No such file or directory Trying to solve it. Will commit all fixes later

vaminakov commented 4 years ago

By the way...

systemd-networkd[595]: Configuration file /etc/systemd/network/initrd-network.network is marked executable. Please remove executable permission bits. Proceeding anyway. systemd-networkd[595]: Configuration file /etc/systemd/network/initrd-network.network is marked world-writable. Please remove world writability permission bits. Proceeding anyway.

vaminakov commented 4 years ago

I solved it by editing InitrdCall=add_all_modules /netfilter/nft_* to InitrdCall=add_all_modules /netfilter/nf_tables*

Need both nftables* and nft. When I'm edited file to `InitrdCall=add_all_modules /netfilter/nf`, all works fine. What we should do, this way or 2 lines?

Andrei-Pozolotin commented 4 years ago

What we should do, this way or 2 lines?

I applied your review, thank you

initrd-network.network is marked executable initrd-network.network is marked world-writable

I can not reproduce, please try to trace the origin of this bug

really, sorry

no problem, I understand

please review again, test again:

positive check: remote ssh allowed
negative check: remote port scan denied

vaminakov commented 4 years ago

* positive check: remote ssh allowed

Works

* negative check: remote port scan denied

Works

All seems good and working. Dont forget to add /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf to backup section of PKGBUILD (and for package maintainer too) :)