LogalDeveloper/Arch-Linux-Installer
0
Fork 0
Code Issues Activity

Replaced UFW with nftables and a default filter table.

Browse Source
This commit is contained in:
Logan Fick
2025-12-01 20:35:20 -05:00
parent fd90dfdd40
commit 53a1fd3e55
2 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
etc/nftables.conf Normal file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iif lo counter accept comment "accept any localhost traffic"
ct state { established, related } counter accept comment "accept established,related"
ct state invalid counter drop comment "drop invalid"
meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
tcp dport ssh ct state { new } counter accept comment "accept new SSH connections"
counter comment "count any other dropped traffic"
}
chain output {
type filter hook output priority filter; policy drop;
iif lo counter accept comment "accept any localhost traffic"
ct state { established, related } counter accept comment "accept established,related"
ct state invalid counter drop comment "drop invalid"
meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
ct state new counter accept comment "accept new outbound connections"
counter comment "count any other dropped traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
# Drop everything forwarded to us. This device is not a router and does not forward.
counter comment "count dropped traffic"
}
}

8
install-arch-linux.sh
View File

@@ -123,7 +123,7 @@ pacstrap -K /mnt base \
less \ less \
tmux \ tmux \
sudo \ sudo \
ufw \ iptables-nft \
openssh \ openssh \
usbguard usbguard
@@ -190,6 +190,9 @@ arch-chroot /mnt useradd -m -G wheel $username
print "Please set the password for your new account." print "Please set the password for your new account."
arch-chroot /mnt passwd $username arch-chroot /mnt passwd $username
print "Installing default configuration files..."
cp -r ./etc /mnt
print "Setting up systemd-resolved..." print "Setting up systemd-resolved..."
arch-chroot /mnt sed -i "s|^#MulticastDNS=yes|MulticastDNS=no|" /etc/systemd/resolved.conf arch-chroot /mnt sed -i "s|^#MulticastDNS=yes|MulticastDNS=no|" /etc/systemd/resolved.conf
arch-chroot /mnt sed -i "s|^#LLMNR=yes|LLMNR=no|" /etc/systemd/resolved.conf arch-chroot /mnt sed -i "s|^#LLMNR=yes|LLMNR=no|" /etc/systemd/resolved.conf
@@ -239,6 +242,9 @@ RouteMetric=200
EOF EOF
arch-chroot /mnt systemctl enable systemd-networkd.service arch-chroot /mnt systemctl enable systemd-networkd.service
print "Enabling nftables firewall..."
arch-chroot /mnt systemctl enable nftables.service
print "Would you like to install iwd for Wi-Fi support? Enter 'y' exactly for yes, otherwise anything else to skip." print "Would you like to install iwd for Wi-Fi support? Enter 'y' exactly for yes, otherwise anything else to skip."
read install_iwd read install_iwd