Comments (11)
@frankofno The --exceptions
option is ready for use! Just provide a comma separated list of IP addresses that you want to allow to the --exceptions
flag and packets from those IP addresses will always be accepted.
Copying the example from the README.md:
- Only allow packets from Monaco but create exceptions for Cloudflare's DNS service
Command to run:nft-geo-filter --exceptions 1.0.0.1,1.1.1.1,2606:4700:4700::1001,2606:4700:4700::1111 --allow MC
Resulting ruleset:table inet geo-filter { set filter-v4 { type ipv4_addr flags interval auto-merge elements = { 37.44.224.0/22, 80.94.96.0/20, 82.113.0.0/19, 87.238.104.0/21, 87.254.224.0/19, 88.209.64.0/18, 91.199.109.0/24, 176.114.96.0/20, 185.47.116.0/22, 185.162.120.0/22, 185.250.4.0/22, 188.191.136.0/21, 194.9.12.0/23, 195.20.192.0/23, 195.78.0.0/19, 213.133.72.0/21, 213.137.128.0/19 } } set filter-v6 { type ipv6_addr flags interval auto-merge elements = { 2a01:8fe0::/32, 2a07:9080::/29, 2a0b:8000::/29 } } chain filter-chain { type filter hook prerouting priority -200; policy drop; ip saddr { 1.0.0.1, 1.1.1.1 } accept ip6 saddr { 2606:4700:4700::1001, 2606:4700:4700::1111 } accept ip6 saddr { ::1, fe80::/10 } accept ip saddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept ip saddr @filter-v4 accept ip6 saddr @filter-v6 accept } }
from nft-geo-filter.
I can see "89.33.192.0/22" in the ro-aggregated.zone which includes your address.
from nft-geo-filter.
And when I run nft-geo-filter RO
in can see 89.33.192.0-89.33.197.255
in the filter-v4 set, which includes 89.33.192.205. So, it looks like it's working to me.
from nft-geo-filter.
Let's say I want to include several countries (Romania, China, Russia) the command would look like this? All countries in one command right?
nft-geo-filter --interface eth0 --no-ipv6 RO CN RU
from nft-geo-filter.
re-run the script with the 4 commands:
nft-geo-filter --table-name ukraine-filter --interface eth0 --no-ipv6 UA
nft-geo-filter --table-name china-filter --interface eth0 --no-ipv6 CN
nft-geo-filter --table-name russia-filter --interface eth0 --no-ipv6 RU
nft-geo-filter --table-name romania-filter --interface eth0 --no-ipv6 RO
guess that's the way to include multiple countries. The ipv6 addresses though are still in the filter.
from nft-geo-filter.
The --no-ipv6 argument only works with the netdev family, so you gotta do something like:
nft-geo-filter --table-family netdev --table-name whatever --interface eth0 --no-ipv6 CN RU RO
If you don't want to use the netdev family and also don't want a set of IPv6 addresses, you got to use the "ip" family:
nft-geo-filter --table-family ip --table-name whatever RO CN RU
from nft-geo-filter.
Thank you so much. One more time. Using the command like this
nft-geo-filter --table-family netdev --table-name whaterver --interface eth0 --no-ipv6 CN RU RO
will put ONLY the addresses from the last country (RO) in. CN and RU addresses are not in there. Do I have to use this command 3 times for each country with a different table-name?
Is it possible to get multiple countries in one command?
And finally, I if 1 ip-address should be excluded from that country, how can i accomplish that? Although the 1 IP is allowed in my chain it's not working anymore. I guess it's because of the -200 priority?!
Sorry for those noob questions :))
from nft-geo-filter.
will put ONLY the addresses from the last country (RO) in. CN and RU addresses are not in there. Do I have to use this command 3 times for each country with a different table-name?
Oh wow! I did not realize that. That is an embarrassing bug. You're right, only the last country's IP block is being included in the filter set. That's definitely a problem. I'll try to fix that. In the mean time, you can run the script 3 different times with a single country, just like you suggested.
And finally, I if 1 ip-address should be excluded from that country, how can i accomplish that?
Adding exceptions to the filter set is still something that I have to add to the script. It's not supported right now. I'll probably add another argument called --exceptions
to the script and you can add the list of IP addresses you want to be allowed using the exceptions argument like --exceptions 1.1.1.1
.
Thank you for testing out my script @frankofno. Really appreciate it!
from nft-geo-filter.
@frankofno I've just a pushed a change to the script. The script should now work correctly when more than one country is specified in the arguments to the script. Please download the script again and give it a shot.
I still have to work on adding exceptions to the filter sets. Will let you know when I come up with something.
from nft-geo-filter.
smooth :) now it's working much more convinient.
Blocks China, Russia, Romania, Ukraine all in one command.
/usr/local/bin/nft-geo-filter --table-family netdev --table-name SPAMMERS --interface eth0 --no-ipv6 CN RU RO UA
Would be great to get that --exceptions option or is it allready included in the last update?
from nft-geo-filter.
awesome. just tried it on my server, all fine. exceptions included with multiple countries all in one command.
from nft-geo-filter.
Related Issues (19)
- Error on adding filter HOT 15
- multiple allow HOT 1
- Fallback provider (enhancement) HOT 7
- Add a dry-run option that outputs the new rules to stdout but doesn't modify anything HOT 2
- Netdev set (enhancement) HOT 3
- block by ASN name (ISP) or ASN number HOT 1
- SSL Cert expired on ipdeny.com HOT 9
- Unexpected keyword argument 'capture_output' in subprocess.run() HOT 3
- ipverse.net UA (Ukraine) bug HOT 10
- Persist IP source data across runs
- Table cleared and not restored while network connection is lost
- ipverse new link structure
- Script Error on Fedora 37 with SELinux
- Allow mode exceptions blocks traffic from private subnets HOT 6
- Allow outgoing traffic to blocked IP ranges HOT 13
- individual IPs HOT 5
- Allow two countries with third country's some IPs HOT 2
- Stop auto flush previous rules when we are adding new rules HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nft-geo-filter.