nft-blackhole
Jump to navigation
Jump to search
nft-blackhole - script / daemon to blocking IP in nftables by country and black lists.
Contents
Features
- download publicly available blacklists and block IPs from them,
- block or whitelist individual countries,
- whitelist individual networks or IP addresses,
Installation
Install the nft-blackholeAUR package.
Configuration file
In the configuration file /etc/nft-blackhole.conf you can define:
- IP versions supported (ipv4, ipv6),
- blocking policy (reject, drop,)
- network or IP addresses for the white list,
- blacklist url addresses,
- list of countries, policy for countries (accept, block)
Usage
As root for start systemd unit:
# systemctl start nft-blackhole.service
for enable autostart:
# systemctl enable nft-blackhole.service
List counter packages dropped/accept
# nft list chain inet blackhole input
List table and sets for blackhole
# nft list table inet blackhole
Refresh lists
Manual:
# systemctl reload nft-blackhole.service
or add to root crontab for automatic refresh, for example:
0 */6 * * * systemctl reload nft-blackhole.service
for refreshing every six hours.