not all ip ranges included about nft-geo-filter HOT 11 CLOSED

@frankofno The --exceptions option is ready for use! Just provide a comma separated list of IP addresses that you want to allow to the --exceptions flag and packets from those IP addresses will always be accepted.

Copying the example from the README.md:

• Only allow packets from Monaco but create exceptions for Cloudflare's DNS service
  Command to run: nft-geo-filter --exceptions 1.0.0.1,1.1.1.1,2606:4700:4700::1001,2606:4700:4700::1111 --allow MC
  Resulting ruleset:

  table inet geo-filter {
        set filter-v4 {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 37.44.224.0/22, 80.94.96.0/20,
                             82.113.0.0/19, 87.238.104.0/21,
                             87.254.224.0/19, 88.209.64.0/18,
                             91.199.109.0/24, 176.114.96.0/20,
                             185.47.116.0/22, 185.162.120.0/22,
                             185.250.4.0/22, 188.191.136.0/21,
                             194.9.12.0/23, 195.20.192.0/23,
                             195.78.0.0/19, 213.133.72.0/21,
                             213.137.128.0/19 }
        }
  
        set filter-v6 {
                type ipv6_addr
                flags interval
                auto-merge
                elements = { 2a01:8fe0::/32,
                             2a07:9080::/29,
                             2a0b:8000::/29 }
        }
  
        chain filter-chain {
                type filter hook prerouting priority -200; policy drop;
                ip saddr { 1.0.0.1, 1.1.1.1 } accept
                ip6 saddr { 2606:4700:4700::1001, 2606:4700:4700::1111 } accept
                ip6 saddr { ::1, fe80::/10 } accept
                ip saddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept
                ip saddr @filter-v4 accept
                ip6 saddr @filter-v6 accept
        }
  }
  

from nft-geo-filter.

I can see "89.33.192.0/22" in the ro-aggregated.zone which includes your address.

from nft-geo-filter.

And when I run nft-geo-filter RO in can see 89.33.192.0-89.33.197.255 in the filter-v4 set, which includes 89.33.192.205. So, it looks like it's working to me.

from nft-geo-filter.

Let's say I want to include several countries (Romania, China, Russia) the command would look like this? All countries in one command right?

nft-geo-filter --interface eth0 --no-ipv6 RO CN RU

from nft-geo-filter.

re-run the script with the 4 commands:

nft-geo-filter --table-name ukraine-filter --interface eth0 --no-ipv6 UA
nft-geo-filter --table-name china-filter --interface eth0 --no-ipv6 CN
nft-geo-filter --table-name russia-filter --interface eth0 --no-ipv6 RU
nft-geo-filter --table-name romania-filter --interface eth0 --no-ipv6 RO

guess that's the way to include multiple countries. The ipv6 addresses though are still in the filter.

from nft-geo-filter.

The --no-ipv6 argument only works with the netdev family, so you gotta do something like:

nft-geo-filter --table-family netdev --table-name whatever --interface eth0 --no-ipv6 CN RU RO

If you don't want to use the netdev family and also don't want a set of IPv6 addresses, you got to use the "ip" family:

nft-geo-filter --table-family ip --table-name whatever RO CN RU

from nft-geo-filter.

Thank you so much. One more time. Using the command like this
nft-geo-filter --table-family netdev --table-name whaterver --interface eth0 --no-ipv6 CN RU RO

will put ONLY the addresses from the last country (RO) in. CN and RU addresses are not in there. Do I have to use this command 3 times for each country with a different table-name?

Is it possible to get multiple countries in one command?

And finally, I if 1 ip-address should be excluded from that country, how can i accomplish that? Although the 1 IP is allowed in my chain it's not working anymore. I guess it's because of the -200 priority?!

Sorry for those noob questions :))

from nft-geo-filter.

will put ONLY the addresses from the last country (RO) in. CN and RU addresses are not in there. Do I have to use this command 3 times for each country with a different table-name?

Oh wow! I did not realize that. That is an embarrassing bug. You're right, only the last country's IP block is being included in the filter set. That's definitely a problem. I'll try to fix that. In the mean time, you can run the script 3 different times with a single country, just like you suggested.

And finally, I if 1 ip-address should be excluded from that country, how can i accomplish that?

Adding exceptions to the filter set is still something that I have to add to the script. It's not supported right now. I'll probably add another argument called --exceptions to the script and you can add the list of IP addresses you want to be allowed using the exceptions argument like --exceptions 1.1.1.1.

Thank you for testing out my script @frankofno. Really appreciate it!

from nft-geo-filter.

@frankofno I've just a pushed a change to the script. The script should now work correctly when more than one country is specified in the arguments to the script. Please download the script again and give it a shot.

I still have to work on adding exceptions to the filter sets. Will let you know when I come up with something.

from nft-geo-filter.

smooth :) now it's working much more convinient.

Blocks China, Russia, Romania, Ukraine all in one command.
/usr/local/bin/nft-geo-filter --table-family netdev --table-name SPAMMERS --interface eth0 --no-ipv6 CN RU RO UA

Would be great to get that --exceptions option or is it allready included in the last update?

from nft-geo-filter.

awesome. just tried it on my server, all fine. exceptions included with multiple countries all in one command.

from nft-geo-filter.