d00f3c9f02
Improve code quality by addressing shellcheck warnings across security-critical scripts. src/security-hardening.sh: - Add shellcheck directive for SC2120/SC2119 - Function configure_password_policy() accepts optional args - Directive documents intentional usage pattern src/firewall-setup.sh: - Fix function argument passing in main() - Properly pass arguments to configure_firewall() config/hooks/installed/encryption-setup.sh: - Consolidate echo commands to fix SC2129 - Use single redirect for multiple writes Remaining warnings are non-critical: - SC1091: Source files exist at runtime in Docker container - SC2016: Intentional single quotes for sed pattern No functional changes - purely code quality improvements. 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>
82 lines
2.0 KiB
Bash
Executable File
82 lines
2.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# Dynamic firewall setup script
|
|
set -euo pipefail
|
|
|
|
# Function to parse WireGuard endpoint
|
|
parse_wg_endpoint() {
|
|
local wg_config="${1:-/etc/wireguard/wg0.conf}"
|
|
|
|
if [[ ! -f $wg_config ]]; then
|
|
echo "Error: WireGuard config not found at $wg_config"
|
|
return 1
|
|
fi
|
|
|
|
grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
|
|
echo "Error: Could not parse endpoint from WireGuard config"
|
|
return 1
|
|
}
|
|
}
|
|
|
|
# Function to generate nftables rules
|
|
generate_nftables_rules() {
|
|
local endpoint="$1"
|
|
local ip="${endpoint%:*}"
|
|
local port="${endpoint#*:}"
|
|
|
|
cat <<EOF
|
|
#!/usr/sbin/nft -f
|
|
# Secure firewall rules for WireGuard-only access
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop
|
|
iif lo accept comment "Accept loopback"
|
|
icmp type echo-request accept comment "Accept ping"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy drop
|
|
oif lo accept comment "Accept loopback"
|
|
udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
|
|
icmp type echo-request accept comment "Allow ping"
|
|
}
|
|
}
|
|
EOF
|
|
}
|
|
|
|
# Function to apply firewall configuration
|
|
apply_firewall() {
|
|
local wg_config="${1:-/etc/wireguard/wg0.conf}"
|
|
|
|
if [[ -f $wg_config ]]; then
|
|
endpoint=$(parse_wg_endpoint "$wg_config")
|
|
if [[ -n $endpoint ]]; then
|
|
generate_nftables_rules "$endpoint" >/etc/nftables.conf
|
|
systemctl enable nftables
|
|
systemctl restart nftables
|
|
echo "Firewall configured for endpoint: $endpoint"
|
|
else
|
|
echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
|
|
fi
|
|
else
|
|
echo "Warning: WireGuard config not found, using default deny policy"
|
|
fi
|
|
}
|
|
|
|
# Main setup
|
|
main() {
|
|
echo "Setting up dynamic firewall..."
|
|
apply_firewall "${1:-}"
|
|
echo "Firewall setup completed."
|
|
}
|
|
|
|
# Run main if script is executed directly
|
|
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
|
|
main "$@"
|
|
fi
|