individual IPs

[frankofno]

Since my BAD-GUYS list is getting longer and longer, I was wandering if there is a way to get an individual IP list into that script too?

Let's say I block Monaco and I want to block some IPs / IP ranges from US but I don't want to block the whole US. At the moment I edit another simple script to add those lines

• simple script

  !/bin/bash

  nft add chain inet filter BAD-GUYS { type filter hook input priority -10 \; policy accept\;} nft add rule inet filter BAD-GUYS ip saddr 1.2.3.4/24 drop nft add rule inet filter BAD-GUYS ip saddr 10.20.30.40/24 drop

so my idea was to have a file/list with just bad IPs / ranges that are blocked with the countries.

1.2.3.4/25 10.20.30.40/24

probably there is already a much smarter way to do it.

all the best

[rpthms]

Hmm, I don't think adding individual IPs to the filter sets would be ideal because the script is used to completely block a country and not just a few IP addresses from a particular country. Blocking only a few IP addresses can be easily achieved by using a script as you're doing right now. I don't see anything wrong with it.

Although, instead of using a script which calls nft again and again, you could edit your main nftables.conf file and add an include directive in that file that includes your "bad-guys" table.

Assuming your main nftables.conf is at /etc/nftables.conf. Just add this line at the bottom of the file:

# In /etc/nftables.conf
include /etc/nft-bad-guys.conf

And then in /etc/nft-bad-guys.conf, copy the following table which blocks the IPs that you want:

table inet bad-guys {
      set filter-v4 {
              type ipv4_addr
              flags interval
              auto-merge
              elements = {1.1.1.1,
                         1.1.1.2,
                         1.1.1.3}
      }

      set filter-v6 {
              type ipv6_addr
              flags interval
              auto-merge
              elements = {2001:db8::1,
                         2001:db8::2,
                         2001:db8::3}
      }

      chain filter-chain {
              type filter hook input priority filter; policy accept;
              ip saddr @filter-v4 drop
              ip6 saddr @filter-v6 drop
      }
}

Add whatever IPs you want to block in the filter-v4 and fitler-v6 sets and then restart nftables. Job done!

[frankofno]

I see. Yeah, I was thinkin about editing the conf too. I thought maybe creating a "fantasy country" FC that can be used like all the other countries but the IP ranges are not pulled from a country block website, but from the local file fantasy_country_ip_file. The file will just get called by your script with a fantasy country name like badland BL - spamhousen SH or something like that.

[rpthms]

At that point, we're shifting too many responsibilities from the nftables config to nft-geo-filter. The script will only create filter sets for real existing countries that are supported by ipdeny.com. Adding too much functionality to the script might turn it into an unmanageable mess, so let's try to avoid that.

In fact, one of my goals with this script was to avoid any config files and to only use the Python standard library so that nobody needs to download any third party Python packages. The previous version of this script actually required administrators to create empty filter sets and manually add the ip saddr @filter-v4 drop and ip6 saddr @filter-v6 drop statements to their nftables config. I wanted this script to be able to do everything that's needed to filter a country without asking the administrator to edit any config files, so I rewrote the entire script to do that. I'm trying to keep things as simple as possible.

[frankofno]

got it. That's what I like, keep it simple as possible. Let's do that! :) I will edit the nftables.conf Thanks for sharing your approach and help, learning a lot right now about nft

Cheers

[rpthms]

Thanks for understanding. I'll close this issue.