diff --git a/blocklist.nft b/blocklist.nft index f848cc6..fa841e4 100644 --- a/blocklist.nft +++ b/blocklist.nft @@ -197,4 +197,5 @@ define blocklist = { 199.229.252.121, 86.162.6.84, 87.3.215.35, + 141.8.192.26, } diff --git a/nftables.patch b/nftables.patch index e0ef5b6..7c93761 100644 --- a/nftables.patch +++ b/nftables.patch @@ -1,25 +1,25 @@ ---- nftables.conf 2023-06-10 01:16:58.000000000 +0200 -+++ nftables.conf.2 2024-03-30 17:53:25.967805988 +0100 +--- nftables.conf 2023-06-10 01:16:58.000000000 +0200 ++++ /etc/nftables.conf 2024-03-30 18:04:11.549553009 +0100 @@ -1,5 +1,6 @@ #!/usr/sbin/nft -f flush ruleset +include "/etc/nftables.d/blocklist.nft" - + # SET TO WIREGUARD INTERFACE IP define SNAT = 192.168.1.1 @@ -22,6 +23,11 @@ - - + + table inet filter { + set blocklist { + type ipv4_addr + flags interval + elements = { $blocklist } + } - + chain forward { type filter hook forward priority filter; policy drop; -@@ -32,12 +38,16 @@ +@@ -32,12 +38,15 @@ # Accept LAN<->WAN traffic meta iifname $LAN meta oifname $WAN accept meta iifname $WAN meta oifname $LAN accept @@ -34,25 +34,23 @@ + meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop + meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop + -+ - # Block all DNS resolvers beside the router + # Block all DNS resolvers beside the router th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject - # Block access to the SLiRP gateway -@@ -48,6 +58,13 @@ + # Block access to the SLiRP gateway +@@ -48,6 +57,12 @@ } - + table inet nat { + set blocklist { + type ipv4_addr + flags interval + elements = { $blocklist } + } -+ + chain postrouting { type nat hook postrouting priority srcnat; policy accept; meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT -@@ -55,7 +72,7 @@ +@@ -55,7 +70,7 @@ chain prerouting { type nat hook prerouting priority dstnat; policy accept; # Uncomment for E2Guardian