HEX
Server: Apache
System: Linux zacp120.webway.host 4.18.0-553.50.1.lve.el8.x86_64 #1 SMP Thu Apr 17 19:10:24 UTC 2025 x86_64
User: govancoz (1003)
PHP: 8.3.26
Disabled: exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
$ pwd: /proc/thread-self/root/opt/cpguard/app/scripts/
Upload Files
File: //proc/thread-self/root/opt/cpguard/app/scripts/fw_debug.sh
#!/bin/bash
#
# fw-debug.sh - Basic nftables & firewall diagnostic tool
# Safe: read-only checks only. No system changes.
#

FAMILY="inet"
TABLE="cpguard_fw"

VALID_PATHS=(
    "/usr/sbin/nft"
    "/sbin/nft"
    "/usr/bin/nft"
    "/bin/nft"
)

GREEN="\e[32m"; RED="\e[31m"; YELLOW="\e[33m"; CYAN="\e[36m"; RESET="\e[0m"

check() {
    echo -e "${CYAN}==> $1${RESET}"
}

status() {
    if [ "$1" -eq 0 ]; then
        echo -e "   ${GREEN}✔ $2${RESET}"
    else
        echo -e "   ${RED}✘ $2${RESET}"
    fi
}

warn() {
    echo -e "   ${YELLOW}⚠ $1${RESET}"
}

# --- Root check ---
if [ "$EUID" -ne 0 ]; then
    echo -e "${RED}✘ Please run this script as root.${RESET}"
    exit 1
fi

echo -e "${CYAN}\nFirewall Debug Tool - nftables Diagnostics${RESET}"
echo "---------------------------------------------"

# 1. Check nft binary in specific allowed paths
check "Checking for nft binary in standard paths..."
NFT_PATH=$(command -v nft 2>/dev/null)

if [[ -z "$NFT_PATH" ]]; then
    status 1 "nft binary not found. Please install nftables."
    exit 1
fi

if [[ " ${VALID_PATHS[*]} " =~ " ${NFT_PATH} " ]]; then
    status 0 "nft binary found at ${NFT_PATH}"
else
    status 1 "nft binary found at ${NFT_PATH}, but not in standard paths."
    echo -e "   Valid paths are:"
    for p in "${VALID_PATHS[@]}"; do
        echo "     - $p"
    done
    exit 1
fi

# 2. Check nft version
check "Checking nft version..."
NFT_VER=$(nft --version 2>/dev/null | awk '{print $2}')
if [[ -z "$NFT_VER" ]]; then
    status 1 "Unable to determine nft version (possibly broken install)"
else
    status 0 "nft version: $NFT_VER"
fi

# 3. Kernel version
check "Checking kernel version..."
KERNEL_VER=$(uname -r)
K_MAJOR=$(echo "$KERNEL_VER" | cut -d. -f1)
K_MINOR=$(echo "$KERNEL_VER" | cut -d. -f2)
echo -e "   Kernel version: ${KERNEL_VER}"

if (( K_MAJOR < 5 )); then
    warn "Kernel is very old (<5.x). nftables may not fully support features."
elif (( K_MAJOR == 5 && K_MINOR < 10 )); then
    warn "Kernel is older than 5.10. Some nft features may be missing."
else
    status 0 "Kernel version is recent enough"
fi

# 4. nftables table and chains
check "Checking nftables table and basic chains..."
if nft list table $FAMILY $TABLE >/dev/null 2>&1; then
    status 0 "Table '$FAMILY $TABLE' exists"
    CHAINS=$(nft list table $FAMILY $TABLE | grep -E 'chain ' | awk '{print $2}')
    echo "   Chains found: $CHAINS"
else
    status 1 "Table '$FAMILY $TABLE' not found. Firewall likely not initialized."
fi

# 5. nft ruleset validity
check "Checking nftables ruleset syntax..."
if nft list ruleset >/dev/null 2>&1; then
    status 0 "Ruleset dump successful"
else
    status 1 "Failed to read ruleset (broken setup or invalid rules)"
fi

# 6. Systemd service
check "Checking nftables service status..."
if systemctl list-unit-files | grep -q nftables.service; then
    if systemctl is-active --quiet nftables; then
        status 0 "nftables service is active"
    else
        warn "nftables service exists but is not active"
    fi
else
    warn "nftables service not found (manual setup likely)"
fi

# 7. IPv6 availability
check "Checking IPv6 availability..."
if [ -f /proc/net/if_inet6 ]; then
    status 0 "IPv6 supported"
else
    warn "IPv6 not supported or disabled"
fi

echo -e "\n${CYAN}Diagnostics completed.${RESET}"
echo "---------------------------------------------"
echo -e "If any ${RED}✘${RESET} or ${YELLOW}⚠${RESET} items appear above, please share this output with support.\n"
@ Telegram