From 8b9db2591c1ccd4a000543c706df9c2670cffc7e Mon Sep 17 00:00:00 2001 From: celso Date: Fri, 13 Dec 2024 05:20:40 -0300 Subject: [PATCH] modified README.md --- README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/README.md b/README.md index a326058..955afc2 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,39 @@ If there are no errors, you can install and run with `make install` You can verify that your new rules are in place with `nft list ruleset` +To uninstall, run `make uninstall`, which will replace the contents of `/etc/nftables.conf` with the backup made at install-time and saved in `backup.conf`. + +### Modifying .nft files +The following are guidelines for editing the `.nft` files to your liking + +#### defines.nft +In `defines.nft` you can place your defines. + +Every service under the *TCP and UDP services* comment should be placed in tcp and udp named sets. + +Every service under the *TCP only services* comment should be placed in the tcp named set. + +Services under the *UDP only services* comment should be placed in the udp named sets. + +#### nat.nft +In `nat.nft` you can place your nat table, chains and rules. + +You don't need to include `defines.nft` since it is included in `filter.nft` + +#### filter.nft +In `filter.nft` you can place your filter table, chains and rules. + +This is the main file where you'll do most of your work. + +Make sure you erase the `ipv4_geo_blacklist` named set and rules related to it if you're not going to block country-wide IP ranges. + +### makeconf script +This script unifies the `.nft` files into a single `nftables.conf` file ready to be placed into `/etc/nftables.conf`. + +It replaces includes of local `.nft` files with their contents into `filter.nft` and saves it as `nftables.conf`. + +It also checks which countries you want to block by checking what files exist under `/var/geoipsets/dbip/nftset/ipv4/*.ipv4` and places them into the `ipv4_geo_blacklist` named set. + ### Bug-reporting Try to register an account, wait to be approved and submit an issue. If I take too long to approve your account or I reject your application, you can send me an email at celsochan@disroot.org