home readme diff tree note docs

0commit df1a660fc8077efee681b14ac05d70baa568ff4f
1Author: lakefox <mason@lakefox.net>
2Date:   Sat Dec 20 18:08:38 2025 -0700
3
4    Firewall added
5
6diff --git a/modules/.network.sh.swp b/.init.sh.swp
7similarity index 71%
8rename from modules/.network.sh.swp
9rename to .init.sh.swp
10index 0088afd..08f5235 100644
11Binary files a/modules/.network.sh.swp and b/.init.sh.swp differ
12diff --git a/init.sh b/init.sh
13index 62275fc..c164ea0 100755
14--- a/init.sh
15+++ b/init.sh
16@@ -32,9 +32,7 @@ chmod +x root/usr/share/udhcpc/default.script
17 
18 # Load the firewall script
19 cp modules/network.sh root/lib
20-cp modules/firewall.sh root/lib
21 chmod +x root/lib/network.sh
22-chmod +x root/lib/firewall.sh
23 
24 # Make the init script executable
25 chmod +x root/init
26diff --git a/modules/firewall.sh b/modules/firewall.sh
27deleted file mode 100755
28index ccc832b..0000000
29--- a/modules/firewall.sh
30+++ /dev/null
31@@ -1,97 +0,0 @@
32-#!/bin/sh
33-
34-# Set IP forwarding (Mandatory for a router)
35-echo 1 > /proc/sys/net/ipv4/ip_forward
36-
37-# Bring up interfaces
38-ip link set eth0 up
39-ip link set eth1 up
40-ip addr add 192.168.0.1/24 dev eth1
41-
42-touch /var/lib/misc/udhcpd.leases
43-udhcpd /etc/udhcpd.conf &
44-
45-# Request an IP address from the Modem/ISP (eth0)
46-udhcpc -i eth0 &
47-
48-# Enable SYN cookies
49-echo 1 > /proc/sys/net/ipv4/tcp_syncookies
50-
51-# Increase the "backlog" (how many connections we can track at once)
52-echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
53-
54-# Reduce the time we wait for a dead connection to time out
55-echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
56-
57-# --- 1. Set Default Policies ---
58-# These tell the router: "If I didn't specifically allow it, kill it."
59-iptables -P INPUT DROP
60-iptables -P FORWARD DROP
61-iptables -P OUTPUT ACCEPT
62-
63-# --- 2. Allow Internal (Safe) Traffic ---
64-# Allow the router to talk to itself (localhost)
65-iptables -A INPUT -i lo -j ACCEPT
66-
67-# Allow your home devices (eth1) to talk to the router (for DHCP/DNS)
68-iptables -A INPUT -i eth1 -j ACCEPT
69-
70-# --- 3. The "Stateful" Firewall (Crucial for Internet) ---
71-# Allow traffic that YOU started to come back in.
72-# This lets you browse the web but stops hackers from starting a connection to you.
73-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
74-iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
75-
76-# --- 4. Allow Outbound Internet ---
77-# Allow your home devices (eth1) to send requests out to the web (eth0)
78-iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
79-
80-# --- 5. NAT (Masquerade) ---
81-iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
82-
83-iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
84-
85-iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 10/minute --limit-burst 5 -j ACCEPT
86-
87-iptables -N SYN_FLOOD
88-iptables -A INPUT -p tcp --syn -j SYN_FLOOD
89-iptables -A SYN_FLOOD -m limit --limit 25/s --limit-burst 50 -j RETURN
90-iptables -A SYN_FLOOD -j DROP
91-
92-# Drop packets that are not a new SYN but aren't part of an established connection
93-iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
94-
95-# Drop "XMAS" and "Null" packets (common scanner/flood techniques)
96-iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
97-iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
98-
99-iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
100-iptables -A INPUT -p icmp -j DROP
101-
102-# Ignore any packet on eth0 that claims to be from a private internal IP
103-for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
104-    echo 1 > $i
105-done
106-
107-iptables -A INPUT -i eth0 -p udp --dport 67:68 -j DROP
108-iptables -A INPUT -i eth0 -p udp --dport 137:139 -j DROP
109-iptables -A INPUT -i eth0 -d 255.255.255.255 -j DROP
110-
111-# Forward HTTP (80)
112-iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.11
113-
114-# Forward DNS (53) - Both UDP and TCP
115-iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 192.168.0.11
116-iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 192.168.0.11
117-
118-# Allow the forwarded traffic to reach the server
119-iptables -A FORWARD -d 192.168.0.11 -p tcp --dport 80 -j ACCEPT
120-iptables -A FORWARD -d 192.168.0.11 -p udp --dport 53 -j ACCEPT
121-iptables -A FORWARD -d 192.168.0.11 -p tcp --dport 53 -j ACCEPT
122-iptables -A FORWARD -d 192.168.0.11 -p udp --dport 53 -m limit --limit 50/s -j ACCEPT
123-iptables -A FORWARD -d 192.168.0.11 -p tcp --dport 53 -m limit --limit 50/s -j ACCEPT
124-iptables -A FORWARD -d 192.168.0.11 -p tcp --dport 80 -m limit --limit 50/s -j ACCEPT
125-
126-iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.11 -p tcp --dport 80 -j MASQUERADE
127-iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.11 -p udp --dport 53 -j MASQUERADE
128-iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.11 -p tcp --dport 53 -j MASQUERADE
129diff --git a/modules/firmware.sh b/modules/firmware.sh
130index 7897d3b..d95a2c8 100755
131--- a/modules/firmware.sh
132+++ b/modules/firmware.sh
133@@ -1,11 +1,10 @@
134 #!/bin/bash
135 
136 # 1. Define your target modules
137-# Using xhci-pci usually pulls in xhci-hcd, and usbhid pulls in hid/usbcore
138 TARGET_MODS="xhci-pci usbhid hid-generic hid-apple r8169 realtek libphy \
139 libcrc32c crc32c_generic \
140-nf_tables nft_compat nft_counter nft_chain_nat nft_nat nft_masq \
141-nfnetlink nfnetlink_log nfnetlink_queue nf_tables_netdev"
142+nf_tables nft_chain_nat nft_nat nft_masq \
143+nfnetlink nf_conntrack nft_ct nft_limit nft_reject"
144 
145 # 2. Clear and recreate the module directory structure
146 KVER=$(uname -r)
147diff --git a/modules/network.sh b/modules/network.sh
148index 1bbe2e1..360db70 100755
149--- a/modules/network.sh
150+++ b/modules/network.sh
151@@ -1,31 +1,65 @@
152 #!/bin/sh
153 
154-# Set IP forwarding
155+# 1. Hardware & Forwarding
156 echo 1 > /proc/sys/net/ipv4/ip_forward
157-
158-# Bring up interfaces
159 ip link set lo up
160 ip link set eth0 up
161 ip link set eth1 up
162 ip addr add 192.168.0.1/24 dev eth1
163 
164-# DHCP Server for local network
165+# 2. Networking Services
166 touch /var/lib/misc/udhcpd.leases
167 udhcpd /etc/udhcpd.conf &
168 
169-# Request ISP IP - Backgrounded so boot continues
170-udhcpc -i eth0 -s /usr/share/udhcpc/default.script -b &
171+# Get IP from ISP - restoration of the default script is mandatory for routing!
172+# We use -n (now) to make the script wait until the IP is actually set.
173+udhcpc -i eth0 -s /usr/share/udhcpc/default.script -n -q -t 5
174 
175-# --- Firewall Rules ---
176-# Flush the ruleset to ensure a clean state
177-nft flush ruleset
178+# Give the kernel a second to settle the routing table
179+sleep 2
180 
181-# Create the most basic table structure
182-# Note: Use single quotes so the shell doesn't mess with the curly braces
183+# --- 3. nftables Firewall (Stateful & Hardened) ---
184+nft flush ruleset
185 nft add table ip filter
186-nft 'add chain ip filter forward { type filter hook forward priority 0 ; policy accept ; }'
187-
188-# If the above succeeds, try the NAT table
189 nft add table ip nat
190+nft add table ip mangle
191+
192+# Define Chains
193+nft 'add chain ip filter input { type filter hook input priority 0 ; policy drop ; }'
194+nft 'add chain ip filter forward { type filter hook forward priority 0 ; policy drop ; }'
195+nft 'add chain ip filter output { type filter hook output priority 0 ; policy accept ; }'
196+nft 'add chain ip nat prerouting { type nat hook prerouting priority -100 ; }'
197 nft 'add chain ip nat postrouting { type nat hook postrouting priority 100 ; }'
198+nft 'add chain ip mangle forward { type filter hook forward priority -150 ; }'
199+
200+# --- 1. INPUT (Traffic to Router) ---
201+nft add rule ip filter input iifname "lo" accept
202+nft add rule ip filter input iifname "eth1" accept
203+nft add rule ip filter input ct state established,related accept
204+nft add rule ip filter input iifname "eth0" udp dport 67-68 accept
205+nft add rule ip filter input ip protocol icmp icmp type echo-request limit rate 2/second accept
206+nft add rule ip filter input ct state invalid drop
207+
208+# --- 2. FORWARD (Traffic through Router) ---
209+# TCP MSS Clamping (Crucial for web browsing stability)
210+nft add rule ip mangle forward tcp flags syn tcp option maxseg size set rt mtu
211+
212+nft add rule ip filter forward ct state established,related accept
213+nft add rule ip filter forward iifname "eth1" oifname "eth0" accept
214+nft add rule ip filter forward iifname "eth1" oifname "eth1" accept
215+
216+# Forwarding to your Server (.11)
217+nft add rule ip filter forward ip daddr 192.168.0.11 tcp dport 80 limit rate 50/second accept
218+nft add rule ip filter forward ip daddr 192.168.0.11 { tcp, udp } dport 53 limit rate 50/second accept
219+
220+# --- 3. NAT & PORT FORWARDING ---
221+# Inbound Port Forwards
222+nft add rule ip nat prerouting iifname "eth0" tcp dport 80 dnat to 192.168.0.11
223+nft add rule ip nat prerouting iifname "eth0" { tcp, udp } dport 53 dnat to 192.168.0.11
224+
225+# Hairpin NAT (Internal devices using public IP/Domain)
226+nft add rule ip nat postrouting ip saddr 192.168.0.0/24 ip daddr 192.168.0.11 tcp dport 80 masquerade
227+nft add rule ip nat postrouting ip saddr 192.168.0.0/24 ip daddr 192.168.0.11 { tcp, udp } dport 53 masquerade
228+
229+# Outbound NAT (Internet for everyone)
230 nft add rule ip nat postrouting oifname "eth0" masquerade
231diff --git a/modules/script.sh b/modules/script.sh
232index 29d8ad2..aead671 100755
233--- a/modules/script.sh
234+++ b/modules/script.sh
235@@ -20,25 +20,30 @@ cat << EOF > root/init
236 /bin/modprobe libphy
237 /bin/modprobe r8169
238 
239-# 1. Load the Netlink communication layer FIRST
240+# 1. Base Netlink
241 /bin/modprobe nfnetlink
242 
243-# 2. Load the core nftables engine
244+# 2. Core Engine (Handles payload, lookup, filter chains automatically)
245 /bin/modprobe nf_tables
246 
247-# 3. Load the specific engines for NAT and Filtering
248-/bin/modprobe nft_chain_nat
249+# 3. Connection Tracking
250+/bin/modprobe nf_conntrack
251+/bin/modprobe nft_ct
252+
253+# 4. Specific Extensions
254+/bin/modprobe nft_limit
255+/bin/modprobe nft_reject
256+
257+# 5. NAT Stack
258 /bin/modprobe nft_nat
259+/bin/modprobe nft_chain_nat
260 /bin/modprobe nft_masq
261-/bin/modprobe nft_payload
262-/bin/modprobe nft_lookup
263 
264 # Give the kernel a second to register the netlink interface
265 sleep 1
266 
267 # Start the firewall
268-/lib/network.sh > /tmp/boot_debug.log 2>&1
269-#./lib/firewall.sh
270+/lib/network.sh
271 
272 sleep 2
273