add nftables config patch
This commit is contained in:
parent
3194f4b3f2
commit
6cfac7c624
2 changed files with 31 additions and 22 deletions
23
README.md
23
README.md
|
@ -4,31 +4,10 @@
|
|||
To use these lists, first clone them to the nftables.d directory like this:
|
||||
`sudo git clone https://git.computernewb.com/collabvm/nftables /etc/nftables.d`
|
||||
|
||||
then, make the following changes to `/etc/nftables.conf`:
|
||||
|
||||
Add this below `flush ruleset` at the top of the file:
|
||||
```
|
||||
include "/etc/nftables.d/blocklist.nft"
|
||||
```
|
||||
|
||||
Add this below `table inet filter {`:
|
||||
```
|
||||
set blocklist {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { $blocklist }
|
||||
}
|
||||
```
|
||||
|
||||
Add this after `udp dport 443 log prefix "Dropped (UDP/443): " drop` within `chain noforward {`:
|
||||
```
|
||||
meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
||||
meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
||||
```
|
||||
Patch nftables config: `sudo patch -p1 /etc/nftables.conf < /etc/nftables.d/nftables.patch`
|
||||
|
||||
Reload nftables: `sudo nft -f /etc/nftables.conf`
|
||||
|
||||
|
||||
## Configuring automated updates
|
||||
To automatically update these lists, add the following to root's crontab (`sudo crontab -e`):
|
||||
```
|
||||
|
|
30
nftables.patch
Normal file
30
nftables.patch
Normal file
|
@ -0,0 +1,30 @@
|
|||
--- nftables.conf 2023-06-09 19:16:58.000000000 -0400
|
||||
+++ nftables.conf.2 2024-02-12 12:35:17.175626420 -0500
|
||||
@@ -1,5 +1,6 @@
|
||||
#!/usr/sbin/nft -f
|
||||
flush ruleset
|
||||
+include "/etc/nftables.d/blocklist.nft"
|
||||
|
||||
# SET TO WIREGUARD INTERFACE IP
|
||||
define SNAT = 192.168.1.1
|
||||
@@ -22,6 +23,11 @@
|
||||
|
||||
|
||||
table inet filter {
|
||||
+ set blocklist {
|
||||
+ type ipv4_addr
|
||||
+ flags interval
|
||||
+ elements = { $blocklist }
|
||||
+ }
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
@@ -34,6 +40,8 @@
|
||||
meta iifname $WAN meta oifname $LAN accept
|
||||
udp dport 80 log prefix "Dropped (UDP/80): " drop
|
||||
udp dport 443 log prefix "Dropped (UDP/443): " drop
|
||||
+ meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
||||
+ meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
||||
ct state related,established accept
|
||||
log prefix "Packet discarded by policy: "
|
||||
}
|
Loading…
Reference in a new issue