Fix.

author Christian Heller <c.heller@plomlompom.de>

Thu, 3 Apr 2025 07:00:38 +0000 (09:00 +0200)

committer Christian Heller <c.heller@plomlompom.de>

Thu, 3 Apr 2025 07:00:38 +0000 (09:00 +0200)
author Christian Heller <c.heller@plomlompom.de>
Thu, 3 Apr 2025 07:00:38 +0000 (09:00 +0200)
committer Christian Heller <c.heller@plomlompom.de>
Thu, 3 Apr 2025 07:00:38 +0000 (09:00 +0200)
diff --git a/bookworm/etc/server/nftables.conf b/bookworm/etc/server/nftables.conf

new file mode 100755 (executable)

index 0000000..73193eb
--- /dev/null
+++ b/bookworm/etc/server/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter \
+            hook input \
+            priority 0;
+        policy drop;
+        iif lo \
+            accept \
+            comment "accept localhost traffic";
+        ct state invalid \
+            drop \
+            comment "drop invalid connections";
+        ct state established, related \
+            accept \
+            comment "accept traffic originated from us";
+        tcp dport 22 \
+            accept \
+            comment "accept SSH on default port";
+        ip protocol icmp \
+            icmp type echo-request \
+            accept \
+            comment "accept ICMP for pinging";
+    }
+    chain forward {
+        type filter \
+            hook forward \
+            priority 0;
+        policy drop;
+    }
+    chain output {
+        type filter \
+            hook output \
+            priority 0;
+        policy accept;
+    }
+}
diff --git a/bookworm/scripts/setup_server.sh b/bookworm/scripts/setup_server.sh

index b79920e2cb1034466754ca45c07797cbf7aae589..305fb3672717279d790dc535b713f05d74d9bcbb 100755 (executable)
--- a/bookworm/scripts/setup_server.sh
+++ b/bookworm/scripts/setup_server.sh
@@ -36,11 +36,12 @@ echo '\nSetting Berlin localtime.'
  ln -sf /usr/share/zoneinfo/Europe/Berlin "${PATH_ETC}/localtime"
  ntpdate-debian
  
-setup_users "${MIN_TAGS}" ""
+setup_users "${MIN_TAGS}" ''
  
+echo '\nMoving SSH data from root to user.'
  mkdir -p "${PATH_USER_SSH}"
  mv "/root/${PATH_REL_SSH}/authorized_keys" "${PATH_USER_SSH}/"
  chown -R "${USERNAME}:${USERNAME}" "${PATH_USER_SSH}"
  
-# # Enable firewall.
-# systemctl enable nftables.service
+echo '\nEnabling the firewall.'
+systemctl enable nftables.service
diff --git a/testing/scripts/_setup_secrets_user.sh b/testing/scripts/_setup_secrets_user.sh

index b8964984aace76943b8bcf2601017b417447ac23..990f330cb32bdf322c48c247b56c829686eb80e5 100644 (file)
--- a/testing/scripts/_setup_secrets_user.sh
+++ b/testing/scripts/_setup_secrets_user.sh
@@ -32,7 +32,7 @@ while true; do
      echo ''
      stty -echo
      set +e
-    ssh-add
+    ssh-add -q
      RESULT=$?
      set -e
      stty echo
author	Christian Heller <c.heller@plomlompom.de>
	Thu, 3 Apr 2025 07:00:38 +0000 (09:00 +0200)
committer	Christian Heller <c.heller@plomlompom.de>
	Thu, 3 Apr 2025 07:00:38 +0000 (09:00 +0200)
bookworm/etc/server/nftables.conf	[new file with mode: 0755]	patch \| blob
bookworm/scripts/setup_server.sh		patch \| blob \| history
testing/scripts/_setup_secrets_user.sh		patch \| blob \| history