canonex
commented
3 years ago ...but maybe I can get the same result of having two different tables by altering the table name? I'll try...
Closed canonex closed 3 years ago
canonex
commented
3 years ago ...but maybe I can get the same result of having two different tables by altering the table name? I'll try...
rpthms
commented
3 years ago Yes, you should be able to acheive this use case by running the script twice with different table names and families.
// First command blocks countries completely
$ sudo ./nft-geo-filter -f netdev -n no-exceptions -i eth0 <country_list>
// Second command blocks incoming packets from countries, but allows outgoing packets to the blocked countries
$ sudo ./nft-geo-filter -n some-exceptions --allow-established <country_list>It worked, this setup is now the base of my machines ;)
Let me share one more idea*.
If you want to allow traffic from a small number of zones (using the --allow parameter) you are still often dependent on services that reside in other countries (even if only to update your system). In this case you need to use --allow-established: that means you can't use the netdev table.
It would be very efficient to be able to declare a different set of countries to block directly in the netdev table (the ones where you are sure there are no useful services, the ones where most attacks come from...).
At the end you would have a set of countries that are definitely blocked in an efficient way by netdev and a set of allowed ones. All countries excluded from these sets would be blocked but reachable.
I imagine such a setup would be more complex and alter the simplicity of this script, but... here it is. Thanks you, Riccardo