Skip to content

Home

Jump to bottom
Jim Benna edited this page May 2, 2023 · 5 revisions

Welcome to the nft-rulesets wiki!

From my point of view a firewall should drop all traffic that is not explicitly allowed.

So I wanted to allow access to the resources that I host from only some countries and drop everything else. Unfortunately it's not granular enough to be accurate. Because we may also have to block some flows from compromised IP addresses or subnets, in countries that we granted access.

Here is how to proceed :

  1. Block a list of IP addresses or subnets using the netdev table functionnality
  2. Allow some countries IP subnets
  3. Block everything else.

And have separated policy for IPv4 and IPv4.

This script and all files provided tries to achieve this goal, unsing nftables. It is tested/developped on my Debian boxes, but I am pretty convinced that it ought to work on any linux flavour, as soon as you have access to the software that the script uses. As the script tests at the beginning if it finds and can access to all programs that it needs, it will tell you the reason why it can't eventually run on your server.

Description

The goal of the script is to download the MaxMind GeoIP databases (IPv4 and IPv6) and compute all lists. Here is the several steps that this script is doing.

------------- [ Startup of the script. ]------------

---> [ STEP 01 Initial checks ]------------

---> [ STEP 02 Creation of a Temporary RamDrive to compute and download Files ]------------

---> [ STEP 03 Creation of a /tmp/RamDriveTemp and checks if script can write in ]------------

---> [ STEP 04 Download MaxMind Database ]------------

---> [ STEP 05 Compare SHA256 checksum of Downloaded database ]------------

---> [ STEP 06 Extracts the archive to RamDrive ]------------

---> [ STEP 07 Transform all files, Ordering and Filtering ]------------

---> [ STEP 08 Select list of countries ]------------

---> [ STEP 09 Insert commas and join lines of files located in RamDriveTemp. ]------------

-----> [ STEP 09a modify IPv4 files ]------------

-----> [ STEP 09b modify IPv6 files ]------------

---> [ STEP 10 Archive and Copy Files ]------------

---> [ STEP 11 RamDrive destruction ]------------

Script run time : 26s

Parameters

nft-ruleset [-v] [-h] [-p] [-l q|f] [-s d|n]
              -v     : Version
              -h     : This help file
              -p     : Purge all stored backups
              -l     : Log Level
                 q   : quiet, store only starting and ending in logfile
                 f   : store full details in logfile
              -s     : Only run a small part of this script, options have to be mentioned
                 d   : download : Only donwloads database and sha256 file
                 n   : just add rulesets to nftables

Version

-v : displays the version of the script

Help

-h : Displays the help menu

Purge

-p : Purge all the archives previously stored

Log.

-l q : Quiet mode, this stores errors and all steps only in log file. -l f : Verbose mode, outputs each detailed steps

Stage selection

This still have to be implemented -d : Donwload only -n : Add the rules to firewall

Clone this wiki locally