Comments (5)
Hmm, I don't think adding individual IPs to the filter sets would be ideal because the script is used to completely block a country and not just a few IP addresses from a particular country. Blocking only a few IP addresses can be easily achieved by using a script as you're doing right now. I don't see anything wrong with it.
Although, instead of using a script which calls nft again and again, you could edit your main nftables.conf file and add an include directive in that file that includes your "bad-guys" table.
Assuming your main nftables.conf is at /etc/nftables.conf. Just add this line at the bottom of the file:
# In /etc/nftables.conf
include /etc/nft-bad-guys.conf
And then in /etc/nft-bad-guys.conf, copy the following table which blocks the IPs that you want:
table inet bad-guys {
set filter-v4 {
type ipv4_addr
flags interval
auto-merge
elements = {1.1.1.1,
1.1.1.2,
1.1.1.3}
}
set filter-v6 {
type ipv6_addr
flags interval
auto-merge
elements = {2001:db8::1,
2001:db8::2,
2001:db8::3}
}
chain filter-chain {
type filter hook input priority filter; policy accept;
ip saddr @filter-v4 drop
ip6 saddr @filter-v6 drop
}
}
Add whatever IPs you want to block in the filter-v4 and fitler-v6 sets and then restart nftables. Job done!
from nft-geo-filter.
At that point, we're shifting too many responsibilities from the nftables config to nft-geo-filter. The script will only create filter sets for real existing countries that are supported by ipdeny.com. Adding too much functionality to the script might turn it into an unmanageable mess, so let's try to avoid that.
In fact, one of my goals with this script was to avoid any config files and to only use the Python standard library so that nobody needs to download any third party Python packages. The previous version of this script actually required administrators to create empty filter sets and manually add the ip saddr @filter-v4 drop
and ip6 saddr @filter-v6 drop
statements to their nftables config. I wanted this script to be able to do everything that's needed to filter a country without asking the administrator to edit any config files, so I rewrote the entire script to do that. I'm trying to keep things as simple as possible.
from nft-geo-filter.
got it. That's what I like, keep it simple as possible. Let's do that! :)
I will edit the nftables.conf
Thanks for sharing your approach and help, learning a lot right now about nft
Cheers
from nft-geo-filter.
I see. Yeah, I was thinkin about editing the conf too.
I thought maybe creating a "fantasy country" FC that can be used like all the other countries but the IP ranges are not pulled from a country block website, but from the local file fantasy_country_ip_file.
The file will just get called by your script with a fantasy country name like badland BL - spamhousen SH or something like that.
from nft-geo-filter.
Thanks for understanding. I'll close this issue.
from nft-geo-filter.
Related Issues (19)
- Error on adding filter HOT 15
- multiple allow HOT 1
- Fallback provider (enhancement) HOT 7
- Add a dry-run option that outputs the new rules to stdout but doesn't modify anything HOT 2
- Netdev set (enhancement) HOT 3
- block by ASN name (ISP) or ASN number HOT 1
- SSL Cert expired on ipdeny.com HOT 9
- Unexpected keyword argument 'capture_output' in subprocess.run() HOT 3
- ipverse.net UA (Ukraine) bug HOT 10
- Persist IP source data across runs
- Table cleared and not restored while network connection is lost
- not all ip ranges included HOT 11
- ipverse new link structure
- Script Error on Fedora 37 with SELinux
- Allow mode exceptions blocks traffic from private subnets HOT 6
- Allow outgoing traffic to blocked IP ranges HOT 13
- Allow two countries with third country's some IPs HOT 2
- Stop auto flush previous rules when we are adding new rules HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nft-geo-filter.