added geoip blacklist, modified makeconf.sh to add blocked countries and added conntrack checks in output chain
This commit is contained in:
parent
35714944e5
commit
359a43654a
10
filter.nft
10
filter.nft
|
@ -2,6 +2,7 @@
|
|||
flush ruleset
|
||||
|
||||
include "./defines.nft"
|
||||
include "/var/geoipsets/dbip/nftset/ipv4/*.ipv4"
|
||||
|
||||
table ip filter {
|
||||
set allowed_tcp_ports {
|
||||
|
@ -26,8 +27,15 @@ table ip filter {
|
|||
elements = { $DNS_PORT, $DHCP_OUT_PORT, $SNMP_POLL_PORT }
|
||||
}
|
||||
|
||||
set ipv4_geo_blacklist {
|
||||
type ipv4_addr;
|
||||
flags interval;
|
||||
elements = { };
|
||||
}
|
||||
|
||||
chain in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
ip saddr @ipv4_geo_blacklist drop;
|
||||
ct state vmap { invalid : drop, related : accept, established : accept };
|
||||
iifname "lo" accept;
|
||||
icmp type echo-request accept;
|
||||
|
@ -44,6 +52,8 @@ table ip filter {
|
|||
|
||||
chain out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
ip daddr @ipv4_geo_blacklist drop;
|
||||
ct state vmap { invalid : drop, related : accept, established : accept, new : accept };
|
||||
udp dport @allowed_udp_ports_out accept;
|
||||
oifname "lo" accept;
|
||||
icmp type echo-reply accept;
|
||||
|
|
29
makeconf.sh
29
makeconf.sh
|
@ -1,33 +1,50 @@
|
|||
#!/bin/bash
|
||||
|
||||
# ${1} is original filename
|
||||
# ${2} is counter (use n for empty)
|
||||
# ${2} is counter (start at 0)
|
||||
# ${3} is file to replace from
|
||||
replace(){
|
||||
# change newlines to Ñ so we can use it as replacement pattern
|
||||
local pattern=$(sed ':a;N;$!ba;s/\n/Ñ/g;s/\(\/\|\.\)/\\\1/g' "${3}")
|
||||
if [ ${2} != "0" ]
|
||||
# Ñ is changed back to newlines before saving file
|
||||
then
|
||||
local new_content="$(sed "1,/include/{s/include \"[a-z\.\/]\+\"/${pattern}/}" "${1}""$(bc -l <<< "${2} - 1")".nft | sed 's/Ñ/\n/g')";
|
||||
local new_content="$(sed "1,/^include \"\.\/[a-z]\+\.nft\"$/{s/^include \"\.\/[a-z]\+\.nft\"$/${pattern}/}" "${1}""$(bc -l <<< "${2} - 1")".nft | sed 's/Ñ/\n/g')";
|
||||
echo "${new_content}" > "${1}${2}".nft
|
||||
else
|
||||
local new_content="$(sed "1,/include/{s/include \"[a-z\.\/]\+\"/${pattern}/}" "${1}".nft | sed 's/Ñ/\n/g')";
|
||||
local new_content="$(sed "1,/^include \"\.\/[a-z]\+\.nft\"$/{s/^include \"\.\/[a-z]\+\.nft\"$/${pattern}/}" "${1}".nft | sed 's/Ñ/\n/g')";
|
||||
echo "${new_content}" > "${1}${2}".nft
|
||||
fi
|
||||
}
|
||||
|
||||
filename=filter
|
||||
declare -i counter=0
|
||||
for i in $(grep include filter.nft | awk '{print $2}' | tr -d \")
|
||||
# only replace local files
|
||||
declare -a local_includes=( $(grep "include \"\./[a-z.]\+\"" filter.nft | awk '{print $2}' | tr -d \"))
|
||||
|
||||
for i in ${local_includes[@]}
|
||||
do replace "${filename}" "${counter}" "${i}"
|
||||
counter+=1
|
||||
done
|
||||
|
||||
#rename last temp file to nftables.conf
|
||||
counter=${counter}-1
|
||||
mv "${filename}""${counter}".nft nftables.conf
|
||||
counter=${counter}-1
|
||||
|
||||
while [ ${counter} -ge 0 ]
|
||||
do
|
||||
rm "${filename}""${counter}".nft
|
||||
#delete the rest of the temp files to nftables.conf
|
||||
do rm "${filename}""${counter}".nft
|
||||
counter=${counter}-1
|
||||
done
|
||||
|
||||
# figure out what countries, if any, we're blocking
|
||||
declare -a countries=($(ls -1 /var/geoipsets/dbip/nftset/ipv4/))
|
||||
# figure out which line defines the elements of the blacklist set
|
||||
line="$(grep -nA3 blacklist nftables.conf | grep elements | awk 'BEGIN{FS="-"} {print $1}')"
|
||||
# insert names of the countries to block into the line that defines the elements of the set
|
||||
for i in ${countries[@]};
|
||||
do sed -i "${line} s/elements = { \([A-Z]\{2\}\.ipv4,\? \)*/elements = { \1\$${i}, /" nftables.conf
|
||||
done
|
||||
# delete unnecesary last comma
|
||||
sed -i "${line} s/, }/ }/" nftables.conf
|
||||
|
|
Loading…
Reference in New Issue