Fork of https://betaco.de/mirror/nft-blackhole altered for using netdev address family
Find a file
2024-04-16 16:52:10 +02:00
LICENSE Initial commit 2020-04-17 19:03:52 +02:00
nft-blackhole-reload.service Deduplicate logging records in systemd 2023-10-16 18:52:00 -04:00
nft-blackhole-reload.timer Minor changes in systemd units and README.md 2020-09-22 20:46:09 +02:00
nft-blackhole.j2 Optimize packet processing 2024-04-16 16:52:10 +02:00
nft-blackhole.py Optimize packet processing 2024-04-16 16:52:10 +02:00
nft-blackhole.service Deduplicate logging records in systemd 2023-10-16 18:52:00 -04:00
nft-blackhole.yaml Optimize packet processing 2024-04-16 16:52:10 +02:00
README.md Update README file to reflect this fork of the project. 2023-10-16 14:40:37 -04:00

nft-blackhole

Script / daemon to blocking IP in nftables by country and black lists.

Table of contents

Overview

Features
  • download publicly available blacklists and block IPs from them,
  • block or whitelist individual countries,
  • whitelist individual networks or IP addresses,
Configuration file
In the configuration file you can define:
  • IP versions supported (ipv4, ipv6),
  • blocking policy (reject, drop,)
  • network or IP addresses for the white list,
  • blacklist url addresses,
  • block oututput connections to blacklisted IPs,
  • list of countries,
  • policy for countries (accept, block),
  • ports excluded from country blocks

Installation

Manual

Requirements
  • nftables
  • python 3.8+
  • python3-jinja2
  • python3-pyyaml
  • python3-systemd
  • systemd (for daemon)
File location
/usr/local/bin/nft-blackhole.py
/usr/local/share/nft-blackhole/nft-blackhole.j2
/usr/local/etc/nft-blackhole.yaml
/usr/local/lib/systemd/system/nft-blackhole.service
/usr/local/lib/systemd/system/nft-blackhole-reload.service
/usr/local/lib/systemd/system/nft-blackhole-reload.timer

Configuration

Set the configuration in a file

/usr/local/etc/nft-blackhole.yaml

Usage

Manual

As root:
/usr/local/bin/nft-blackhole.py start
/usr/local/bin/nft-blackhole.py reload
/usr/local/bin/nft-blackhole.py restart
/usr/local/bin/nft-blackhole.py stop

With systemd

As root:
systemctl enable nft-blackhole.service
systemctl start nft-blackhole.service
systemctl reload nft-blackhole.service
systemctl restart nft-blackhole.service

List counter packages dropped/accept

nft list chain inet blackhole input

List table and sets for blackhole

nft list table inet blackhole

Refresh lists

Manual

/usr/local/bin/nft-blackhole.py reload
systemctl reload nft-blackhole.service

Crontab

0 */6 * * * systemctl reload nft-blackhole.service

Systemd Timer

systemctl enable --now nft-blackhole-reload.timer
systemctl list-timers --all

Credits

country-ip-blocks - CIDR country-level IP lists,

https://iplists.firehol.org/ - aggregated, publicly available blacklists

License

Code released under MIT license.