nft-blackhole

From ArchWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Merge-arrows-2.pngThis article or section is a candidate for merging with nftables.Merge-arrows-2.png

Notes: Why copy github README, and why just not include mention of your software as simple 2 line in nftables, see Template:App? (Discuss in Talk:Nft-blackhole)

nft-blackhole - script / daemon to blocking IP in nftables by country and black lists.

Features

  • download publicly available blacklists and block IPs from them,
  • block or whitelist individual countries,
  • whitelist individual networks or IP addresses,

Installation

Install the nft-blackholeAUR package.

Configuration file

In the configuration file /etc/nft-blackhole.conf you can define:

  • IP versions supported (ipv4, ipv6),
  • blocking policy (reject, drop,)
  • network or IP addresses for the white list,
  • blacklist url addresses,
  • list of countries, policy for countries (accept, block)

Usage

Start/enable the nft-blackhole.service unit.

List counter packages dropped/accept 

# nft list chain inet blackhole input

List table and sets for blackhole

# nft list table inet blackhole

Refresh lists

This can be done manually by reloading nft-blackhole.service. Start/enable nft-blackhole-reload.timer to automatically refresh lists using a systemd timer. This can also be done via a crontab: 

0 */6 * * * systemctl reload nft-blackhole.service