1.1.0 starting firewall + improve config file

Author: ggtrd

bashpack.sh

@@ -25,17 +25,19 @@
 
 
 
-export VERSION="1.0.12"
+export VERSION="1.1.0"
 
 export NAME="Bashpack"
 export NAME_LOWERCASE=$(echo "$NAME" | tr A-Z a-z)
+export NAME_UPPERCASE=$(echo "$NAME" | tr a-z A-Z)
 export NAME_ALIAS="bp"
 
 BASE_URL="https://api.github.com/repos/bashpack-project"
 
 USAGE="Usage: sudo $NAME_ALIAS [COMMAND] [OPTION]..."$'\n'"$NAME_ALIAS --help"
 
 export yes="@(yes|Yes|yEs|yeS|YEs|YeS|yES|YES|y|Y)"
+export continue_question="Do you want to continue? [y/N] "
 
 
 
@@ -176,6 +178,12 @@ get_config_value() {
 	local parameter=${2}
 
 	while read -r line; do
+
+		# Avoid reading comments
+		if [[ $line =~ ^"${#}" ]]; then
+			break
+		fi
+
 		if [[ $line =~ ^([^=]+)[[:space:]]([^=]+)$ ]]; then
 			# Test first word (= parameter name)...
 			if [[ $parameter = ${BASH_REMATCH[1]} ]]; then
@@ -264,11 +272,13 @@ if [[ $0 = "./$NAME_LOWERCASE.sh" ]] && [[ -d "commands" ]]; then
 	echo ""
 	COMMAND_UPDATE="commands/update.sh"
 	COMMAND_MAN="commands/man.sh"
-	COMMAND_VERIFY_INTALLATION="commands/tests.sh"
+	COMMAND_VERIFY="commands/tests.sh"
+	COMMAND_FIREWALL="commands/firewall.sh"
 else
 	COMMAND_UPDATE="$dir_src/update.sh"
 	COMMAND_MAN="$dir_src/man.sh"
-	COMMAND_VERIFY_INTALLATION="$dir_src/tests.sh"
+	COMMAND_VERIFY="$dir_src/tests.sh"
+	COMMAND_FIREWALL="$dir_src/firewall.sh"	
 fi
 COMMAND_SYSTEMD_LOGS="journalctl -e _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value $file_systemd_update.service`"
 COMMAND_SYSTEMD_STATUS="systemctl status $file_systemd_update.timer"
@@ -713,13 +723,24 @@ case "$1" in
 	man)					$COMMAND_MAN ;;
 	verify)
 		if [[ -z "$2" ]]; then
-			export function_to_launch="check_all" && exec $COMMAND_VERIFY_INTALLATION
+			export function_to_launch="check_all" && exec $COMMAND_VERIFY
+		else
+			case "$2" in
+				-f|--files)						export function_to_launch="check_files" && exec $COMMAND_VERIFY ;;
+				-d|--download)					export function_to_launch="check_download" && exec $COMMAND_VERIFY ;;
+				-r|--repository-reachability)	export function_to_launch="check_repository_reachability" && exec $COMMAND_VERIFY ;;
+				*)								echo "Error: unknown [$1] option '$2'."$'\n'"$USAGE" && exit ;;
+			esac
+		fi ;;
+	firewall)
+		if [[ -z "$2" ]]; then
+			exec $COMMAND_FIREWALL
 		else
 			case "$2" in
-				-f|--files)						export function_to_launch="check_files" && exec $COMMAND_VERIFY_INTALLATION ;;
-				-d|--download)					export function_to_launch="check_download" && exec $COMMAND_VERIFY_INTALLATION ;;
-				-r|--repository-reachability)	export function_to_launch="check_repository_reachability" && exec $COMMAND_VERIFY_INTALLATION ;;
-				*)								echo "Error: unknown [verify] option '$2'."$'\n'"$USAGE" && exit ;;
+				-o|--open-inbound-port)			exec $COMMAND_FIREWALL ;;
+				-e|--enable)					exec $COMMAND_FIREWALL ;;
+				--disable)						exec $COMMAND_FIREWALL ;;
+				*)								echo "Error: unknown [$1] option '$2'."$'\n'"$USAGE" && exit ;;
 			esac
 		fi ;;
 	update)
@@ -732,7 +753,7 @@ case "$1" in
 					--ask)				read -p "Do you want to automatically accept installations during the process? [y/N] " install_confirmation && export install_confirmation && exec $COMMAND_UPDATE ;;
 					--when)				$COMMAND_SYSTEMD_STATUS | grep Trigger: | awk '$1=$1' ;;
 					--get-logs)			$COMMAND_SYSTEMD_LOGS ;;
-					*)					echo "Error: unknown [update] option '$2'."$'\n'"$USAGE" && exit ;;
+					*)					echo "Error: unknown [$1] option '$2'."$'\n'"$USAGE" && exit ;;
 				esac
 			# done
 		fi ;;

commands/firewall.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+
+# MIT License
+
+# Copyright (c) 2024 Geoffrey Gontard
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+
+
+disable_firewall() {
+	systemctl stop nftables.service
+}
+
+
+
+
+# This script is based on nftables, it can't work without it.
+# Testing if nftables is installed on the system, try to install it if not, or exit.
+install_firewall() {
+	if [[ $(exists_command "nft") != "exists" ]]; then
+		echo "Error: nftables not found on the system but is required to configure your firewall with $NAME."
+		
+		if [[ $(exists_command "apt") = "exists" ]]; then
+			echo "Installing nftables with APT..."
+			echo "Warning: if iptables is installed, nftables will replace it. "
+			echo "Warning: be sure to keep a copy of your currents firewall rulesets."
+			read -p "$continue_question" install_confirmation_nftables
+
+			if [[ $install_confirmation_nftables = $yes ]]; then
+				apt install -y nftables
+				systemctl enable nftables.service
+				systemctl restart nftables.service
+			else
+				# Exit to avoid doing anything else with this script without nftables installed
+				exit
+			fi
+			
+		else
+			echo "Error: nftables could not been installed with APT."
+
+			# Exit to avoid doing anything else with this script without nftables installed
+			exit
+		fi
+
+	fi
+}
+
+
+
+	
+# Configure the firewall
+create_firewall() {
+	
+	now=$(date +%y-%m-%d_%H-%M-%S)
+	nftables_file="/etc/nftables.conf"
+	nftables_dir="/etc/bashpack/firewall/"
+	nftables_file_backup=$nftables_dir"nftables.conf_backup_$now"
+
+
+	# # Making sure to use nftables
+	# apt install -y nftables
+	# systemctl enable nftables.service
+	# systemctl restart nftables.service
+
+	# Making sure the nftables.conf file exists
+	nft list ruleset > $nftables_file
+
+	# Making a backup of your current nftables ruleset
+	mkdir -p $nftables_dir
+	chmod 755 $nftables_dir
+	cp $nftables_file $nftables_file_backup
+
+	echo ""
+	echo "A backup of your current nftables firewall ruleset has been saved to "$nftables_file_backup"."
+	echo ""
+
+	# --------------------------
+	# Here is what this script will erase and recreate :
+	#
+	# table inet filter
+	#	chain $NAME_UPPERCASE-PREROUTING type filter hook prerouting priority -199; policy drop;
+	#		ct state related,established counter accept
+	#		iifname lo counter accept
+	#	chain $NAME_UPPERCASE-OUTPUT
+	#		type filter hook output priority -300; policy accept;
+	#
+	# Documentation here: https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
+	# --------------------------
+
+	# Deleting current ruleset to get a clean firewall and avoid any issues
+	nft flush ruleset
+
+	# Adding the inet filter table to the current firewall
+	nft add table inet filter
+
+	# Creating $NAME_UPPERCASE-PREROUTING chain
+	# Eveything is closed inbound by default
+	nft add chain inet filter $NAME_UPPERCASE-PREROUTING { type filter hook prerouting priority -199\; policy drop\; }
+	nft add rule inet filter $NAME_UPPERCASE-PREROUTING ct state related,established counter accept
+	nft add rule inet filter $NAME_UPPERCASE-PREROUTING iifname lo counter accept
+	# Allowing Docker containers to see each others & to reach internet (works with or without Docker bridges) (this rule is created even if Docker is not installed to anticipate any futures Docker installations)
+	nft add rule inet filter $NAME_UPPERCASE-PREROUTING ip saddr 172.0.0.0/8 counter accept
+	# Inbound customs rules below
+	#nft add rule inet filter $NAME_UPPERCASE-PREROUTING tcp dport <PORT> counter accept
+
+	# Creating $NAME_UPPERCASE-POSTROUTING 
+	# Eveything is open outbound by default
+	nft add chain inet filter $NAME_UPPERCASE-POSTROUTING { type filter hook postrouting priority -300\; policy accept\; }
+
+
+	# Saving the new nftables ruleset
+	nft list ruleset > $nftables_file
+
+	# Restarting firewall
+	systemctl restart nftables.service
+
+	# Restarting Docker (if Docker is installed) to force it using nftables instead of iptables
+	if [[ $(exists_command "docker") = "exists" ]]; then
+		systemctl restart docker.service
+	fi
+
+
+	echo "Success! New firewall configured."
+
+
+}
+
+
+
+install_firewall
+create_firewall

commands/man.sh

@@ -25,67 +25,67 @@
 
 
 
-continue_question="Do you want to continue? [y/N] "
+# continue_question="Do you want to continue? [y/N] "
 
 
 
 
-# Usage : text_error_cant_install <manager>
-install_package_error() {
-	echo "Error: could not be installed with ${1}."
-}
+# # Usage : text_error_cant_install <manager>
+# install_package_error() {
+# 	echo "Error: could not be installed with ${1}."
+# }
 
 
 
 
-# Function to install packages on the system (and package managers also, because package managers are packages themselves).
-# Package manager order to search packages candidates: Apt -> Snapcraft -> Error "not found"
-# Usage : install_package <manager> <package>
-install_package() {
-	local manager=${1}
-	local package=${2}
+# # Function to install packages on the system (and package managers also, because package managers are packages themselves).
+# # Package manager order to search packages candidates: Apt -> Snapcraft -> Error "not found"
+# # Usage : install_package <manager> <package>
+# install_package() {
+# 	local manager=${1}
+# 	local package=${2}
 
-	echo ""
-	echo "Installing $package with $manager...  "
-	echo ""
+# 	echo ""
+# 	echo "Installing $package with $manager...  "
+# 	echo ""
 
-	if ([[ $manager = "apt" ]] && [[ $(exists_command "apt") = "exists" ]]) || [[ $(exists_command "apt") = "exists" ]]; then
-		apt install -y $package
-	elif ([[ $manager = "snap" ]] && [[ $(exists_command "snap") = "exists" ]]) || [[ $(exists_command "snap") = "exists" ]]; then
-		snap install $package
-	else
-		echo "$package: Error: package not found."
-	fi
+# 	if ([[ $manager = "apt" ]] && [[ $(exists_command "apt") = "exists" ]]) || [[ $(exists_command "apt") = "exists" ]]; then
+# 		apt install -y $package
+# 	elif ([[ $manager = "snap" ]] && [[ $(exists_command "snap") = "exists" ]]) || [[ $(exists_command "snap") = "exists" ]]; then
+# 		snap install $package
+# 	else
+# 		echo "$package: Error: package not found."
+# 	fi
 
-	echo ""
-}
+# 	echo ""
+# }
 
 
 
 
-# Function to delete packages on the system.
-# Package manager order to search packages candidates: Apt -> Snapcraft -> Error "not found"
-# Usage : delete_package $package <$manager> <yes>
-delete_package() {
-	local package=${1}
-	local manager=${2}
+# # Function to delete packages on the system.
+# # Package manager order to search packages candidates: Apt -> Snapcraft -> Error "not found"
+# # Usage : delete_package $package <$manager> <yes>
+# delete_package() {
+# 	local package=${1}
+# 	local manager=${2}
 
-	echo ""
-	if [[ $manager != "" ]]; then
-		echo "Uninstalling $package with $manager...  "
-	else
-		echo "Uninstalling $package with the default system manager...  "
-	fi
-	echo ""
+# 	echo ""
+# 	if [[ $manager != "" ]]; then
+# 		echo "Uninstalling $package with $manager...  "
+# 	else
+# 		echo "Uninstalling $package with the default system manager...  "
+# 	fi
+# 	echo ""
 
-	if ([[ $manager = "apt" ]] && [[ $(exists_command "apt") = "exists" ]]) || [[ $(exists_command "apt") = "exists" ]]; then
-		apt remove -y $package
-	elif ([[ $manager = "snap" ]] && [[ $(exists_command "snap") = "exists" ]]) || [[ $(exists_command "snap") = "exists" ]]; then
-		snap remove $package
-	else
-		echo "$package: Error: package not found."
-	fi
-}
+# 	if ([[ $manager = "apt" ]] && [[ $(exists_command "apt") = "exists" ]]) || [[ $(exists_command "apt") = "exists" ]]; then
+# 		apt remove -y $package
+# 	elif ([[ $manager = "snap" ]] && [[ $(exists_command "snap") = "exists" ]]) || [[ $(exists_command "snap") = "exists" ]]; then
+# 		snap remove $package
+# 	else
+# 		echo "$package: Error: package not found."
+# 	fi
+# }
 
 
 

commands/update.sh

@@ -1 +1,13 @@
+# How to use this file ?
+# A single space is necessary to match options with their values:
+# <option> <value>
+
+# publication can be "main", "unstable" or "dev"
+# - Production systems should always be configured with "main"
+# - "dev" and "unstable" are meant for development use only, you should never use them.
 publication main
+
+# firewall can be "auto" or "disable"
+# auto = automatically install & configure firewall at each update
+# disable = do not
+firewall auto