https://github.com/unknown0152/nft-firewall
Secure nftables firewall with WireGuard kill-switch, Docker isolation, and Cosmos Cloud hardening.
https://github.com/unknown0152/nft-firewall
debian docker-security firewall homelab linux self-hosting vpn wireguard
Last synced: 2 days ago
JSON representation
Secure nftables firewall with WireGuard kill-switch, Docker isolation, and Cosmos Cloud hardening.
- Host: GitHub
- URL: https://github.com/unknown0152/nft-firewall
- Owner: unknown0152
- License: other
- Created: 2026-04-24T14:14:14.000Z (4 days ago)
- Default Branch: main
- Last Pushed: 2026-04-24T16:24:46.000Z (3 days ago)
- Last Synced: 2026-04-24T18:24:28.200Z (3 days ago)
- Topics: debian, docker-security, firewall, homelab, linux, self-hosting, vpn, wireguard
- Language: Python
- Homepage:
- Size: 157 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: docs/SECURITY.md
Awesome Lists containing this project
README
# 🔥 NFT Firewall
Secure-by-default nftables firewall for Debian servers with WireGuard, Docker, and optional Cosmos Cloud hardening.
## Features
- nftables-only firewall
- WireGuard VPN killswitch
- Strict LAN mode by default
- Docker cannot open firewall holes
- Cosmos Cloud runs as non-root user `media`
- Public 80/443 ingress can be pinned to `wg0`
- Safe apply with rollback confirmation
- Runtime user separation: `fw-admin`, `media`, `backup`, `deploy`
## Warning
This installer changes firewall rules, Docker networking, systemd services, users, groups, and permissions.
Use on a fresh Debian server first. Keep SSH console access available.
## One-command install
```bash
wget -qO setup.sh https://raw.githubusercontent.com/unknown0152/nft-firewall/main/setup.sh && sudo bash setup.sh
```