Using nftables for blocklists

I moved ssh to another port and have it now access is rejected with a host unreachable on port 22.
I now have this little rule to enable ssh on the new port. I do a ping -l 1001 <system> and my IP can access <systm> for a couple of hours.

/etc/nftables/nftables_knock.nft

Code: 
table ip knock {
    set exceptions {
        type ipv4_addr
        flags interval
        elements = { 127.0.0.0/8, 192.168.88.0/24, x.y.z.0/24 }
    }
    set doorbell {
        type ipv4_addr
        flags dynamic, timeout
        timeout 8h
    }
    chain input {
        type filter hook input priority 0; iifname "ens18";

        # Accept TCP traffic on port 12345 for IP addresses in the "exceptions" set
        ip saddr @exceptions tcp dport 12345 accept
        ip length > 1000 ip length < 1100 icmp type { echo-request, echo-reply } add @doorbell { ip saddr }
        # Drop TCP traffic on port 12345 only for IP addresses not in the "doorbell" set
        ip saddr != @doorbell tcp dport 12345 drop
    }
}
 
r00igev@@r said:
Finally posted this on the Hub & Spoke:
hubandspoke.amastelek.com

🦖Yabba-Dabba Do! | Bashing out a Threat Intelligence Script☄️

Protect Your Network with the r00igev@@r Threat Blocking Script Now!
hubandspoke.amastelek.com hubandspoke.amastelek.com
Click to expand...

@r00igev@@r Just wondering out of interest, how long does it take for the script to load the IPs into nftables, and how many IP blocks would you say you are loading in on average?

I tried something similar and it took me quite a long time to load about 50k IP blocks, so I found a different way to load it in, now it does it in < 5 seconds.

Code: 
BLOCKLIST_FILE="/home/username/nftables/blocked_ips.txt"
BATCH_FILE="/home/username/nftables/nftables_batch.nft"

#Load blocklist into nftables
echo "flush set inet filter blacklist" > "$BATCH_FILE"
echo -n "add element inet filter blacklist { " >> "$BATCH_FILE"
awk '{printf "%s, ", $1}' "$BLOCKLIST_FILE" | sed 's/, $//' >> "$BATCH_FILE"
echo " }" >> "$BATCH_FILE"
nft -f "$BATCH_FILE"
 
Jason-ZA said:
@r00igev@@r Just wondering out of interest, how long does it take for the script to load the IPs into nftables, and how many IP blocks would you say you are loading in on average?

I tried something similar and it took me quite a long time to load about 50k IP blocks, so I found a different way to load it in, now it does it in < 5 seconds.

Code: 
BLOCKLIST_FILE="/home/username/nftables/blocked_ips.txt"
BATCH_FILE="/home/username/nftables/nftables_batch.nft"

#Load blocklist into nftables
echo "flush set inet filter blacklist" > "$BATCH_FILE"
echo -n "add element inet filter blacklist { " >> "$BATCH_FILE"
awk '{printf "%s, ", $1}' "$BLOCKLIST_FILE" | sed 's/, $//' >> "$BATCH_FILE"
echo " }" >> "$BATCH_FILE"
nft -f "$BATCH_FILE"
Click to expand...
I haven't benchmarked it but it doesn't work when you try and do it all in one go. I'll check it by adding some code to time it.

Out of interest, how do you do it?
 
r00igev@@r said:
I haven't benchmarked it but it doesn't work when you try and do it all in one go. I'll check it by adding some code to time it.

Out of interest, how do you do it?
Click to expand...

This is what I am running on my server in a cronjob (Just removed some of the blocklist urls to keep the script shorter for this example).

From what I can see it seems to be working, when I run "nft list set inet filter blacklist" I see a massive set of IP blocks.

Here is my full script that I run: https://pastebin.com/iRmhkusJ
I used some parts of your script that I found useful.
Cloudflare blocked my request for being suspicious when trying to post the code here directly 😅

Inside of the nftables config I just added this piece, and then added my drop rules.

Code: 
        set blacklist {
            type ipv4_addr;
            flags interval;
        }
 
I'm dumb: Doesn't everything else (ipset, ufw, iptables) translate to nftables in the back-end anyway?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X