From 359a43654a7bded9af3e1b468fe337ef19c34d5e Mon Sep 17 00:00:00 2001 From: celso Date: Fri, 13 Dec 2024 04:28:57 -0300 Subject: [PATCH] added geoip blacklist, modified makeconf.sh to add blocked countries and added conntrack checks in output chain --- filter.nft | 10 ++++++++++ makeconf.sh | 29 +++++++++++++++++++++++------ 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/filter.nft b/filter.nft index 8860a68..ffc9f8a 100644 --- a/filter.nft +++ b/filter.nft @@ -2,6 +2,7 @@ flush ruleset include "./defines.nft" +include "/var/geoipsets/dbip/nftset/ipv4/*.ipv4" table ip filter { set allowed_tcp_ports { @@ -26,8 +27,15 @@ table ip filter { elements = { $DNS_PORT, $DHCP_OUT_PORT, $SNMP_POLL_PORT } } + set ipv4_geo_blacklist { + type ipv4_addr; + flags interval; + elements = { }; + } + chain in { type filter hook input priority filter; policy drop; + ip saddr @ipv4_geo_blacklist drop; ct state vmap { invalid : drop, related : accept, established : accept }; iifname "lo" accept; icmp type echo-request accept; @@ -44,6 +52,8 @@ table ip filter { chain out { type filter hook output priority filter; policy drop; + ip daddr @ipv4_geo_blacklist drop; + ct state vmap { invalid : drop, related : accept, established : accept, new : accept }; udp dport @allowed_udp_ports_out accept; oifname "lo" accept; icmp type echo-reply accept; diff --git a/makeconf.sh b/makeconf.sh index 91b7a1b..34afb05 100755 --- a/makeconf.sh +++ b/makeconf.sh @@ -1,33 +1,50 @@ #!/bin/bash # ${1} is original filename -# ${2} is counter (use n for empty) +# ${2} is counter (start at 0) # ${3} is file to replace from replace(){ + # change newlines to Ñ so we can use it as replacement pattern local pattern=$(sed ':a;N;$!ba;s/\n/Ñ/g;s/\(\/\|\.\)/\\\1/g' "${3}") if [ ${2} != "0" ] + # Ñ is changed back to newlines before saving file then - local new_content="$(sed "1,/include/{s/include \"[a-z\.\/]\+\"/${pattern}/}" "${1}""$(bc -l <<< "${2} - 1")".nft | sed 's/Ñ/\n/g')"; + local new_content="$(sed "1,/^include \"\.\/[a-z]\+\.nft\"$/{s/^include \"\.\/[a-z]\+\.nft\"$/${pattern}/}" "${1}""$(bc -l <<< "${2} - 1")".nft | sed 's/Ñ/\n/g')"; echo "${new_content}" > "${1}${2}".nft else - local new_content="$(sed "1,/include/{s/include \"[a-z\.\/]\+\"/${pattern}/}" "${1}".nft | sed 's/Ñ/\n/g')"; + local new_content="$(sed "1,/^include \"\.\/[a-z]\+\.nft\"$/{s/^include \"\.\/[a-z]\+\.nft\"$/${pattern}/}" "${1}".nft | sed 's/Ñ/\n/g')"; echo "${new_content}" > "${1}${2}".nft fi } filename=filter declare -i counter=0 -for i in $(grep include filter.nft | awk '{print $2}' | tr -d \") +# only replace local files +declare -a local_includes=( $(grep "include \"\./[a-z.]\+\"" filter.nft | awk '{print $2}' | tr -d \")) + +for i in ${local_includes[@]} do replace "${filename}" "${counter}" "${i}" counter+=1 done +#rename last temp file to nftables.conf counter=${counter}-1 mv "${filename}""${counter}".nft nftables.conf counter=${counter}-1 while [ ${counter} -ge 0 ] -do - rm "${filename}""${counter}".nft + #delete the rest of the temp files to nftables.conf + do rm "${filename}""${counter}".nft counter=${counter}-1 done + +# figure out what countries, if any, we're blocking +declare -a countries=($(ls -1 /var/geoipsets/dbip/nftset/ipv4/)) +# figure out which line defines the elements of the blacklist set +line="$(grep -nA3 blacklist nftables.conf | grep elements | awk 'BEGIN{FS="-"} {print $1}')" +# insert names of the countries to block into the line that defines the elements of the set +for i in ${countries[@]}; + do sed -i "${line} s/elements = { \([A-Z]\{2\}\.ipv4,\? \)*/elements = { \1\$${i}, /" nftables.conf +done +# delete unnecesary last comma +sed -i "${line} s/, }/ }/" nftables.conf