Optional blocking output connections to blacklisted IPs (#5)

tomasz-c · Oct 18, 2021 · b20de77 · b20de77
1 parent 9f4831b
commit b20de77
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -32,6 +32,7 @@ Script / daemon to blocking IP in nftables by country and black lists.
 - blocking policy (reject, drop,)
 - network or IP addresses for the white list,
 - blacklist url addresses,
+- block oututput connections to blacklisted IPs,
 - list of countries,
 - policy for countries (accept, block)
 

diff --git a/nft-blackhole.conf b/nft-blackhole.conf
@@ -11,6 +11,11 @@ IP_VERSION:
 BLOCK_POLICY: drop
 
 
+# Block output connections to blacklisted ips: 'on' or 'off', default: 'off'
+# Connections to blocked countries will still be possible.
+BLOCK_OUTPUT: off
+
+
 # Whitelist: IP or Network adresses
 WHITELIST:
   v4:

diff --git a/nft-blackhole.py b/nft-blackhole.py
@@ -30,6 +30,8 @@
 WHITELIST = config['WHITELIST']
 BLACKLIST = config['BLACKLIST']
 COUNTRY_LIST = config['COUNTRY_LIST']
+BLOCK_OUTPUT = config['BLOCK_OUTPUT']
+
 
 # Correct incorrect YAML parsing of NO (Norway)
 # It should be the string 'no', but YAML interprets it as False
@@ -40,6 +42,12 @@
 SET_TEMPLATE = ('table inet blackhole {\n\tset ${set_name} {\n\t\ttype ${ip_ver}_addr\n'
                 '\t\tflags interval\n\t\tauto-merge\n\t\telements = { ${ip_list} }\n\t}\n}').expandtabs()
 
+OUTPUT_TEMPLATE = ('\tchain output {\n\t\ttype filter hook output priority -1; policy accept;\n'
+                   '\t\tip daddr @whitelist-v4 counter accept\n'
+                   '\t\tip6 daddr @whitelist-v6 counter accept\n'
+                   '\t\tip daddr @blacklist-v4 counter ${block_policy}\n'
+                   '\t\tip6 daddr @blacklist-v6 counter ${block_policy}\n\t}').expandtabs()
+
 IP_VER = []
 for ip_v in ['v4', 'v6']:
     if config['IP_VERSION'][ip_v]:
@@ -57,6 +65,11 @@
     block_policy = BLOCK_POLICY
     country_policy = 'accept'
 
+if BLOCK_OUTPUT:
+    chain_output = Template(OUTPUT_TEMPLATE).substitute(block_policy=block_policy)
+else:
+    chain_output = ''
+
 # Setting urllib
 ctx = ssl.create_default_context()
 IGNORE_CERTIFICATE = False
@@ -82,7 +95,9 @@ def start():
     nft_template = open('/usr/share/nft-blackhole/nft-blackhole.template').read()
     nft_conf = Template(nft_template).substitute(default_policy=default_policy,
                                                  block_policy=block_policy,
-                                                 country_policy=country_policy)
+                                                 country_policy=country_policy,
+                                                 chain_output=chain_output)
+
     run(['nft', '-f', '-'], input=nft_conf.encode(), check=True)
 
 

diff --git a/nft-blackhole.template b/nft-blackhole.template
@@ -47,4 +47,6 @@ table inet blackhole {
                 ip6 saddr @country-v6 counter ${country_policy}
                 counter
         }
+
+        ${chain_output}
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -47,4 +47,6 @@ table inet blackhole { @@
                     ip6 saddr @country-v6 counter ${country_policy}
                     counter
             }
+            ${chain_output}
     }