not all ip ranges included

[frankofno]

I added RO for Romania and not all ip block listed on the denyip site are included in the script.

For example: 89.33.192.205 the blocks are included on their site, but it's not in the elements

RO blocks: https://www.ipdeny.com/ipblocks/data/aggregated/ro-aggregated.zone

[rpthms]

I can see "89.33.192.0/22" in the ro-aggregated.zone which includes your address.

[rpthms]

And when I run nft-geo-filter RO in can see 89.33.192.0-89.33.197.255 in the filter-v4 set, which includes 89.33.192.205. So, it looks like it's working to me.

[frankofno]

Let's say I want to include several countries (Romania, China, Russia) the command would look like this? All countries in one command right?

nft-geo-filter --interface eth0 --no-ipv6 RO CN RU

[frankofno]

re-run the script with the 4 commands:

nft-geo-filter --table-name ukraine-filter --interface eth0 --no-ipv6 UA nft-geo-filter --table-name china-filter --interface eth0 --no-ipv6 CN nft-geo-filter --table-name russia-filter --interface eth0 --no-ipv6 RU nft-geo-filter --table-name romania-filter --interface eth0 --no-ipv6 RO

guess that's the way to include multiple countries. The ipv6 addresses though are still in the filter.

[rpthms]

The --no-ipv6 argument only works with the netdev family, so you gotta do something like:

nft-geo-filter --table-family netdev --table-name whatever --interface eth0 --no-ipv6 CN RU RO

If you don't want to use the netdev family and also don't want a set of IPv6 addresses, you got to use the "ip" family:

nft-geo-filter --table-family ip --table-name whatever RO CN RU

[frankofno]

Thank you so much. One more time. Using the command like this nft-geo-filter --table-family netdev --table-name whaterver --interface eth0 --no-ipv6 CN RU RO

will put ONLY the addresses from the last country (RO) in. CN and RU addresses are not in there. Do I have to use this command 3 times for each country with a different table-name?

Is it possible to get multiple countries in one command?

And finally, I if 1 ip-address should be excluded from that country, how can i accomplish that? Although the 1 IP is allowed in my chain it's not working anymore. I guess it's because of the -200 priority?!

Sorry for those noob questions :))

[rpthms]

will put ONLY the addresses from the last country (RO) in. CN and RU addresses are not in there. Do I have to use this command 3 times for each country with a different table-name?

Oh wow! I did not realize that. That is an embarrassing bug. You're right, only the last country's IP block is being included in the filter set. That's definitely a problem. I'll try to fix that. In the mean time, you can run the script 3 different times with a single country, just like you suggested.

And finally, I if 1 ip-address should be excluded from that country, how can i accomplish that?

Adding exceptions to the filter set is still something that I have to add to the script. It's not supported right now. I'll probably add another argument called --exceptions to the script and you can add the list of IP addresses you want to be allowed using the exceptions argument like --exceptions 1.1.1.1.

Thank you for testing out my script @frankofno. Really appreciate it!

[rpthms]

@frankofno I've just a pushed a change to the script. The script should now work correctly when more than one country is specified in the arguments to the script. Please download the script again and give it a shot.

I still have to work on adding exceptions to the filter sets. Will let you know when I come up with something.

[frankofno]

smooth :) now it's working much more convinient.

Blocks China, Russia, Romania, Ukraine all in one command. /usr/local/bin/nft-geo-filter --table-family netdev --table-name SPAMMERS --interface eth0 --no-ipv6 CN RU RO UA

Would be great to get that --exceptions option or is it allready included in the last update?

[rpthms]

@frankofno The --exceptions option is ready for use! Just provide a comma separated list of IP addresses that you want to allow to the --exceptions flag and packets from those IP addresses will always be accepted.

Copying the example from the README.md:

• Only allow packets from Monaco but create exceptions for Cloudflare's DNS service\ Command to run: nft-geo-filter --exceptions 1.0.0.1,1.1.1.1,2606:4700:4700::1001,2606:4700:4700::1111 --allow MC\ Resulting ruleset:

  table inet geo-filter {
      set filter-v4 {
              type ipv4_addr
              flags interval
              auto-merge
              elements = { 37.44.224.0/22, 80.94.96.0/20,
                           82.113.0.0/19, 87.238.104.0/21,
                           87.254.224.0/19, 88.209.64.0/18,
                           91.199.109.0/24, 176.114.96.0/20,
                           185.47.116.0/22, 185.162.120.0/22,
                           185.250.4.0/22, 188.191.136.0/21,
                           194.9.12.0/23, 195.20.192.0/23,
                           195.78.0.0/19, 213.133.72.0/21,
                           213.137.128.0/19 }
      }
  
      set filter-v6 {
              type ipv6_addr
              flags interval
              auto-merge
              elements = { 2a01:8fe0::/32,
                           2a07:9080::/29,
                           2a0b:8000::/29 }
      }
  
      chain filter-chain {
              type filter hook prerouting priority -200; policy drop;
              ip saddr { 1.0.0.1, 1.1.1.1 } accept
              ip6 saddr { 2606:4700:4700::1001, 2606:4700:4700::1111 } accept
              ip6 saddr { ::1, fe80::/10 } accept
              ip saddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept
              ip saddr @filter-v4 accept
              ip6 saddr @filter-v6 accept
      }
  }

[frankofno]

awesome. just tried it on my server, all fine. exceptions included with multiple countries all in one command.