add nftables config patch

2024-02-12 12:40:43 -05:00 · 2024-02-12 12:40:43 -05:00 · 6cfac7c624
commit 6cfac7c624
parent 3194f4b3f2
2 changed files with 31 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -4,31 +4,10 @@
 To use these lists, first clone them to the nftables.d directory like this:
 `sudo git clone https://git.computernewb.com/collabvm/nftables /etc/nftables.d`

-then, make the following changes to `/etc/nftables.conf`:
-
-Add this below `flush ruleset` at the top of the file:
-```
-include "/etc/nftables.d/blocklist.nft"
-```
-
-Add this below `table inet filter {`:
-```
-        set blocklist {
-          type ipv4_addr
-          flags interval
-          elements = { $blocklist }
-        }
-```
-
-Add this after `udp dport 443 log prefix "Dropped (UDP/443): " drop` within `chain noforward {`:
-```
-                meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
-                meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
-```
+Patch nftables config: `sudo patch -p1 /etc/nftables.conf < /etc/nftables.d/nftables.patch`

 Reload nftables: `sudo nft -f /etc/nftables.conf`

-
 ## Configuring automated updates
 To automatically update these lists, add the following to root's crontab (`sudo crontab -e`):
 ```
--- a/nftables.patch
+++ b/nftables.patch
@ -0,0 +1,30 @@
+--- nftables.conf       2023-06-09 19:16:58.000000000 -0400
+++ nftables.conf.2     2024-02-12 12:35:17.175626420 -0500
+@@ -1,5 +1,6 @@
+ #!/usr/sbin/nft -f
+ flush ruleset
+include "/etc/nftables.d/blocklist.nft"
+
+ # SET TO WIREGUARD INTERFACE IP
+ define SNAT = 192.168.1.1
+@@ -22,6 +23,11 @@
+
+
+ table inet filter {
+        set blocklist {
+          type ipv4_addr
+          flags interval
+          elements = { $blocklist }
+        }
+
+         chain forward {
+                 type filter hook forward priority filter; policy drop;
+@@ -34,6 +40,8 @@
+                 meta iifname $WAN meta oifname $LAN accept
+                 udp dport 80 log prefix "Dropped (UDP/80): " drop
+                 udp dport 443 log prefix "Dropped (UDP/443): " drop
+                meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+                meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+                 ct state related,established accept
+                 log prefix "Packet discarded by policy: "
+         }