blob: 2aad47e73b59046830bd2c8422141b300d99c0c1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
nftables-geoip-db
=================
nftables-geoip-db makes use of @@@DBSOURCE@@@ GeoIP data.
It creates country specific database files which can be used by nft command via an include statement.
Note: In the following text, CC represents 2 letter ISO code of a country, which you should replace as per your choice of the country.
Country specific files are stored in /usr/share/nft_geoip directory and are named as:
For IPv4: CC.ipv4
For IPv6: CC.ipv6
Each country specific file defines a variable which holds IP addresses specific to that country as per @@@DBSOURCE@@@ GeoIP data.
Variable names are of the following form.
For IPv4: geoip4_iso_country_CC
For IPv6: geoip6_iso_country_CC
This variable can be used in nft statements (rules, sets etc.) to act based on country.
Example:
--------
#!/usr/bin/nft -f
# Purpose: allow SSH connections only from India (IN)
# create some basic rules
flush ruleset
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add rule ip filter INPUT iif lo accept
add rule ip filter INPUT ct state established,related accept
# include the country specific file
include "/usr/share/nft_geoip/IN.ipv4"
# create a set containing IP addresses of India
add set ip filter geo_IN { type ipv4_addr; flags interval; elements = $geoip4_iso_country_IN }
# create rule to accept connection from IP address in the set
add rule ip filter INPUT ct state new tcp dport ssh ip saddr @geo_IN accept
# alternate form without creating a set (anonymous set)
# add rule ip filter INPUT ct state new tcp dport ssh ip saddr $geoip4_iso_country_IN accept
Auto-update GeoIP SETs
----------------------
When nftables-geoip-db is updated, IP address ranges of a country may have changed.
So you need to update your active nftables sets with up-to-date IP addresses.
You can place file with extension .update.nft in /etc/nftables.d/geoip directory.
This file should contain nft rules which change the contents of a set with new IP address ranges.
When nftables-geoip-db package is updated, it will automatically run these rules.
Example:
--------
$ cat /etc/nftables.d/geoip/IN.update.nft
#!/usr/bin/nft -f
# include the country specific file
include "/usr/share/nft_geoip/IN.ipv4"
# flush and update the set containing IP addresses of India
flush set ip filter geo_IN
add element ip filter geo_IN $geoip4_iso_country_IN
Legal Attribution:
------------------
This product includes @@@DBSOURCE@@@ database, available from @@@DBLINK@@@
|