#!/bin/bash # Dynamic firewall setup hook - PRD FR-004 # Default deny with WireGuard VPN allow, DNS via VPN, DHCP on LAN set -euo pipefail echo "Setting up firewall configuration..." cat >/etc/nftables.conf <<'EOF' #!/usr/sbin/nft -f # KNEL-Football Secure Firewall - PRD FR-004 # Default deny, WireGuard VPN outbound only, DNS through VPN tunnel flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop # Accept loopback iif lo accept comment "Accept loopback" # Accept established/related connections ct state established,related accept comment "Accept established/related" # Accept DHCP (client requests) udp sport 67 udp dport 68 accept comment "Accept DHCP offers" udp sport 68 udp dport 67 accept comment "Accept DHCP requests" # Accept ICMP ping icmp type echo-request accept comment "Accept ping" icmp type destination-unreachable accept comment "Accept dest unreachable" icmp type time-exceeded accept comment "Accept time exceeded" # Drop invalid ct state invalid drop comment "Drop invalid packets" } chain forward { type filter hook forward priority 0; policy drop } chain output { type filter hook output priority 0; policy drop # Accept loopback oif lo accept comment "Accept loopback" # Accept established/related connections (return traffic) ct state established,related accept comment "Accept established/related" # Accept DHCP client requests (broadcast to find DHCP server) udp dport 67 accept comment "Allow DHCP client requests" # Accept WireGuard UDP (any endpoint - config determines actual peer) udp dport 51820-51830 accept comment "Allow WireGuard VPN" # Accept DNS over WireGuard tunnel interface oifname "wg*" accept comment "Accept all traffic via VPN tunnel" # Accept ICMP icmp type echo-request accept comment "Allow ping" icmp type destination-unreachable accept comment "Allow dest unreachable" # Drop invalid ct state invalid drop comment "Drop invalid packets" } } EOF systemctl enable nftables echo "Firewall setup hook completed."