Script / daemon to blocking IP in nftables by country and black lists.
- download publicly available blacklists and block IPs from them,
- block or whitelist individual countries,
- whitelist individual networks or IP addresses,
- IP versions supported (ipv4, ipv6),
- blocking policy (reject, drop,)
- network or IP addresses for the white list,
- blacklist url addresses,
- block oututput connections to blacklisted IPs,
- list of countries,
- policy for countries (accept, block),
- ports excluded from country blocks
For example:
yay -S nft-blackhole
pikaur -S nft-blackhole
Tested with Debian buster 10
git clone -b debian-10 https://github.com/tomasz-c/nft-blackhole.git
sudo apt install nftables python3-yaml
sudo cp nft-blackhole.conf /etc/
sudo cp nft-blackhole.py /usr/bin/
sudo mkdir /usr/share/nft-blackhole
sudo cp nft-blackhole.template /usr/share/nft-blackhole/
sudo cp nft-blackhole.service /lib/systemd/system/
sudo cp nft-blackhole-reload.service /lib/systemd/system/
sudo cp nft-blackhole-reload.timer /lib/systemd/system/
- nftables
- python 3.6+
- python-yaml
- systemd (for daemon)
/usr/bin/nft-blackhole.py
/usr/share/nft-blackhole/nft-blackhole.template
/etc/nft-blackhole.conf
/usr/lib/systemd/system/nft-blackhole.service
/usr/lib/systemd/system/nft-blackhole-reload.service
/usr/lib/systemd/system/nft-blackhole-reload.timer
/etc/nft-blackhole.conf
/usr/bin/nft-blackhole.py start
/usr/bin/nft-blackhole.py reload
/usr/bin/nft-blackhole.py restart
/usr/bin/nft-blackhole.py stop
systemctl enable nft-blackhole.service
systemctl start nft-blackhole.service
systemctl reload nft-blackhole.service
systemctl restart nft-blackhole.service
nft list chain inet blackhole input
nft list table inet blackhole
/usr/bin/nft-blackhole.py reload
systemctl reload nft-blackhole.service
0 */6 * * * systemctl reload nft-blackhole.service
systemctl enable --now nft-blackhole-reload.timer
systemctl list-timers --all
country-ip-blocks - CIDR country-level IP lists,
https://iplists.firehol.org/ - aggregated, publicly available blacklists
Code released under MIT license.