Sh

#!/bin/bash

set -e

echo “==> Stopping and removing firewalld and UFW…”

systemctl stop firewalld ufw 2>/dev/null || true

systemctl disable firewalld ufw 2>/dev/null || true

apt-get purge -y firewalld ufw

apt-get autoremove -y

echo “==> Flushing iptables (IPv4 and IPv6)…”

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

iptables -t raw -F

iptables -t raw -X

iptables -t security -F

iptables -t security -X

ip6tables -F

ip6tables -X

ip6tables -t nat -F

ip6tables -t nat -X

ip6tables -t mangle -F

ip6tables -t mangle -X

ip6tables -t raw -F

ip6tables -t raw -X

ip6tables -t security -F

ip6tables -t security -X

echo “==> Stopping and disabling iptables services…”

systemctl stop iptables ip6tables 2>/dev/null || true

systemctl disable iptables ip6tables 2>/dev/null || true

echo “==> Flushing existing nftables ruleset…”

nft flush ruleset || true

echo “==> Enabling and starting nftables service…”

systemctl enable nftables

systemctl start nftables

echo “==> Writing fully locked-down nftables config to /etc/nftables.conf…”

cat <<EOF >/etc/nftables.conf

table inet filter {

chain input {

type filter hook input priority 0; policy drop;

# No exceptions, no loopback accept

}

chain forward {

type filter hook forward priority 0; policy drop;

}

chain output {

type filter hook output priority 0; policy accept;

}

}

EOF

echo “==> Loading nftables config…”

nft -f /etc/nftables.conf

echo “Firewall locked down with no inbound connections allowed (including LAN, sharing, casting).”