collabvm/nftables
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add nftables config patch

Browse source
This commit is contained in:
root 2024-02-12 12:40:43 -05:00
parent 3194f4b3f2
commit 6cfac7c624
2 changed files with 31 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
README.md
View file

@ -4,31 +4,10 @@
To use these lists, first clone them to the nftables.d directory like this: To use these lists, first clone them to the nftables.d directory like this:
`sudo git clone https://git.computernewb.com/collabvm/nftables /etc/nftables.d` `sudo git clone https://git.computernewb.com/collabvm/nftables /etc/nftables.d`
then, make the following changes to `/etc/nftables.conf`: Patch nftables config: `sudo patch -p1 /etc/nftables.conf < /etc/nftables.d/nftables.patch`
Add this below `flush ruleset` at the top of the file:
```
include "/etc/nftables.d/blocklist.nft"
```
Add this below `table inet filter {`:
```
set blocklist {
type ipv4_addr
flags interval
elements = { $blocklist }
}
```
Add this after `udp dport 443 log prefix "Dropped (UDP/443): " drop` within `chain noforward {`:
```
meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
```
Reload nftables: `sudo nft -f /etc/nftables.conf` Reload nftables: `sudo nft -f /etc/nftables.conf`
## Configuring automated updates ## Configuring automated updates
To automatically update these lists, add the following to root's crontab (`sudo crontab -e`): To automatically update these lists, add the following to root's crontab (`sudo crontab -e`):
``` ```

30
nftables.patch Normal file
View file

@ -0,0 +1,30 @@
--- nftables.conf 2023-06-09 19:16:58.000000000 -0400
+++ nftables.conf.2 2024-02-12 12:35:17.175626420 -0500
@@ -1,5 +1,6 @@
#!/usr/sbin/nft -f
flush ruleset
+include "/etc/nftables.d/blocklist.nft"
# SET TO WIREGUARD INTERFACE IP
define SNAT = 192.168.1.1
@@ -22,6 +23,11 @@
table inet filter {
+ set blocklist {
+ type ipv4_addr
+ flags interval
+ elements = { $blocklist }
+ }
chain forward {
type filter hook forward priority filter; policy drop;
@@ -34,6 +40,8 @@
meta iifname $WAN meta oifname $LAN accept
udp dport 80 log prefix "Dropped (UDP/80): " drop
udp dport 443 log prefix "Dropped (UDP/443): " drop
+ meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+ meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
ct state related,established accept
log prefix "Packet discarded by policy: "
}