Feature: Optionally apply blacklist for Forwards (#7)

Author: doncato

nft-blackhole.conf

@@ -15,6 +15,8 @@ BLOCK_POLICY: drop
 # Connections to blocked countries will still be possible.
 BLOCK_OUTPUT: off
 
+# Block forwarded connections from blacklisted ips: 'on' or 'off', default: 'off'
+BLOCK_FORWARD: off
 
 # Whitelist: IP or Network adresses
 WHITELIST:

nft-blackhole.py

@@ -31,6 +31,7 @@
 BLACKLIST = config['BLACKLIST']
 COUNTRY_LIST = config['COUNTRY_LIST']
 BLOCK_OUTPUT = config['BLOCK_OUTPUT']
+BLOCK_FORWARD = config['BLOCK_FORWARD']
 
 
 # Correct incorrect YAML parsing of NO (Norway)
@@ -42,6 +43,17 @@
 SET_TEMPLATE = ('table inet blackhole {\n\tset ${set_name} {\n\t\ttype ${ip_ver}_addr\n'
                 '\t\tflags interval\n\t\tauto-merge\n\t\telements = { ${ip_list} }\n\t}\n}').expandtabs()
 
+FORWARD_TEMPLATE = ('\tchain forward {\n\t\ttype filter hook forward priority -1; policy accept;\n'
+                   '\t\tct state established,related accept\n'
+                   '\t\tip saddr @whitelist-v4 counter accept\n'
+                   '\t\tip6 saddr @whitelist-v6 counter accept\n'
+                   '\t\tip saddr @blacklist-v4 counter ${block_policy}\n'
+                   '\t\tip6 saddr @blacklist-v6 counter ${block_policy}\n'
+                   '\t\t${country_ex_ports_rule}'
+                   '\t\tip saddr @country-v4 counter ${country_policy}\n'
+                   '\t\tip6 saddr @country-v6 counter ${country_policy}\n'
+                   '\t\tcounter\n\t}').expandtabs() 
+
 OUTPUT_TEMPLATE = ('\tchain output {\n\t\ttype filter hook output priority -1; policy accept;\n'
                    '\t\tip daddr @whitelist-v4 counter accept\n'
                    '\t\tip6 daddr @whitelist-v6 counter accept\n'
@@ -79,6 +91,13 @@
 else:
     chain_output = ''
 
+if BLOCK_FORWARD:
+    chain_forward = Template(FORWARD_TEMPLATE).substitute(block_policy=block_policy,
+                                                          country_policy=country_policy,
+                                                          country_ex_ports_rule=country_ex_ports_rule)
+else:
+    chain_forward = ''
+
 # Setting urllib
 ctx = ssl.create_default_context()
 IGNORE_CERTIFICATE = False
@@ -106,7 +125,8 @@ def start():
                                                  block_policy=block_policy,
                                                  country_ex_ports_rule=country_ex_ports_rule,
                                                  country_policy=country_policy,
-                                                 chain_output=chain_output)
+                                                 chain_output=chain_output,
+                                                 chain_forward=chain_forward)
 
     run(['nft', '-f', '-'], input=nft_conf.encode(), check=True)
 

nft-blackhole.template

@@ -50,4 +50,6 @@ table inet blackhole {
         }
 
         ${chain_output}
+
+        ${chain_forward}
 }