added geoip blacklist, modified makeconf.sh to add blocked countries and added conntrack checks in output chain

This commit is contained in:
celso 2024-12-13 04:28:57 -03:00
parent 35714944e5
commit 359a43654a
2 changed files with 33 additions and 6 deletions

View File

@ -2,6 +2,7 @@
flush ruleset
include "./defines.nft"
include "/var/geoipsets/dbip/nftset/ipv4/*.ipv4"
table ip filter {
set allowed_tcp_ports {
@ -26,8 +27,15 @@ table ip filter {
elements = { $DNS_PORT, $DHCP_OUT_PORT, $SNMP_POLL_PORT }
}
set ipv4_geo_blacklist {
type ipv4_addr;
flags interval;
elements = { };
}
chain in {
type filter hook input priority filter; policy drop;
ip saddr @ipv4_geo_blacklist drop;
ct state vmap { invalid : drop, related : accept, established : accept };
iifname "lo" accept;
icmp type echo-request accept;
@ -44,6 +52,8 @@ table ip filter {
chain out {
type filter hook output priority filter; policy drop;
ip daddr @ipv4_geo_blacklist drop;
ct state vmap { invalid : drop, related : accept, established : accept, new : accept };
udp dport @allowed_udp_ports_out accept;
oifname "lo" accept;
icmp type echo-reply accept;

View File

@ -1,33 +1,50 @@
#!/bin/bash
# ${1} is original filename
# ${2} is counter (use n for empty)
# ${2} is counter (start at 0)
# ${3} is file to replace from
replace(){
# change newlines to Ñ so we can use it as replacement pattern
local pattern=$(sed ':a;N;$!ba;s/\n/Ñ/g;s/\(\/\|\.\)/\\\1/g' "${3}")
if [ ${2} != "0" ]
# Ñ is changed back to newlines before saving file
then
local new_content="$(sed "1,/include/{s/include \"[a-z\.\/]\+\"/${pattern}/}" "${1}""$(bc -l <<< "${2} - 1")".nft | sed 's/Ñ/\n/g')";
local new_content="$(sed "1,/^include \"\.\/[a-z]\+\.nft\"$/{s/^include \"\.\/[a-z]\+\.nft\"$/${pattern}/}" "${1}""$(bc -l <<< "${2} - 1")".nft | sed 's/Ñ/\n/g')";
echo "${new_content}" > "${1}${2}".nft
else
local new_content="$(sed "1,/include/{s/include \"[a-z\.\/]\+\"/${pattern}/}" "${1}".nft | sed 's/Ñ/\n/g')";
local new_content="$(sed "1,/^include \"\.\/[a-z]\+\.nft\"$/{s/^include \"\.\/[a-z]\+\.nft\"$/${pattern}/}" "${1}".nft | sed 's/Ñ/\n/g')";
echo "${new_content}" > "${1}${2}".nft
fi
}
filename=filter
declare -i counter=0
for i in $(grep include filter.nft | awk '{print $2}' | tr -d \")
# only replace local files
declare -a local_includes=( $(grep "include \"\./[a-z.]\+\"" filter.nft | awk '{print $2}' | tr -d \"))
for i in ${local_includes[@]}
do replace "${filename}" "${counter}" "${i}"
counter+=1
done
#rename last temp file to nftables.conf
counter=${counter}-1
mv "${filename}""${counter}".nft nftables.conf
counter=${counter}-1
while [ ${counter} -ge 0 ]
do
rm "${filename}""${counter}".nft
#delete the rest of the temp files to nftables.conf
do rm "${filename}""${counter}".nft
counter=${counter}-1
done
# figure out what countries, if any, we're blocking
declare -a countries=($(ls -1 /var/geoipsets/dbip/nftset/ipv4/))
# figure out which line defines the elements of the blacklist set
line="$(grep -nA3 blacklist nftables.conf | grep elements | awk 'BEGIN{FS="-"} {print $1}')"
# insert names of the countries to block into the line that defines the elements of the set
for i in ${countries[@]};
do sed -i "${line} s/elements = { \([A-Z]\{2\}\.ipv4,\? \)*/elements = { \1\$${i}, /" nftables.conf
done
# delete unnecesary last comma
sed -i "${line} s/, }/ }/" nftables.conf