individual IPs about nft-geo-filter HOT 5 CLOSED

Hmm, I don't think adding individual IPs to the filter sets would be ideal because the script is used to completely block a country and not just a few IP addresses from a particular country. Blocking only a few IP addresses can be easily achieved by using a script as you're doing right now. I don't see anything wrong with it.

Although, instead of using a script which calls nft again and again, you could edit your main nftables.conf file and add an include directive in that file that includes your "bad-guys" table.

Assuming your main nftables.conf is at /etc/nftables.conf. Just add this line at the bottom of the file:

# In /etc/nftables.conf
include /etc/nft-bad-guys.conf

And then in /etc/nft-bad-guys.conf, copy the following table which blocks the IPs that you want:

table inet bad-guys {
      set filter-v4 {
              type ipv4_addr
              flags interval
              auto-merge
              elements = {1.1.1.1,
                         1.1.1.2,
                         1.1.1.3}
      }

      set filter-v6 {
              type ipv6_addr
              flags interval
              auto-merge
              elements = {2001:db8::1,
                         2001:db8::2,
                         2001:db8::3}
      }

      chain filter-chain {
              type filter hook input priority filter; policy accept;
              ip saddr @filter-v4 drop
              ip6 saddr @filter-v6 drop
      }
}

Add whatever IPs you want to block in the filter-v4 and fitler-v6 sets and then restart nftables. Job done!

from nft-geo-filter.

At that point, we're shifting too many responsibilities from the nftables config to nft-geo-filter. The script will only create filter sets for real existing countries that are supported by ipdeny.com. Adding too much functionality to the script might turn it into an unmanageable mess, so let's try to avoid that.

In fact, one of my goals with this script was to avoid any config files and to only use the Python standard library so that nobody needs to download any third party Python packages. The previous version of this script actually required administrators to create empty filter sets and manually add the ip saddr @filter-v4 drop and ip6 saddr @filter-v6 drop statements to their nftables config. I wanted this script to be able to do everything that's needed to filter a country without asking the administrator to edit any config files, so I rewrote the entire script to do that. I'm trying to keep things as simple as possible.

from nft-geo-filter.

got it. That's what I like, keep it simple as possible. Let's do that! :)
I will edit the nftables.conf
Thanks for sharing your approach and help, learning a lot right now about nft

Cheers

from nft-geo-filter.

I see. Yeah, I was thinkin about editing the conf too.
I thought maybe creating a "fantasy country" FC that can be used like all the other countries but the IP ranges are not pulled from a country block website, but from the local file fantasy_country_ip_file.
The file will just get called by your script with a fantasy country name like badland BL - spamhousen SH or something like that.

from nft-geo-filter.

Thanks for understanding. I'll close this issue.

from nft-geo-filter.