Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
01-03-2020, 04:48 AM
#1
LQ Newbie
Registered: Jan 2020
Posts: 6
Rep:
How to add accept exclusions using nftables
Hi there everyone. I'm basically trying to use some blocklists from Internet sources, but my problem is that some of these blocklists block IP addresses I want to use so I'm trying to put in ACCEPT exclusions (an example is Cloudflare DNS 1.1.1.1).
My blocklists are loaded into their own table, and the exclusions are in their own table. Any pointers anyone - I've trawled the Internet but can't find anything relevant or that I can understand.
I've only just started playing with nftables, so I can look to upgrade my Debian server to buster. hopefully I've pasted below a representation of my nftables ruleset as it is now (I've shortened the blocklists as they are large.
Code:
table ip fail2ban {
set f2b-sshd {
type ipv4_addr
elements = { 218.92.0.148}
}
set f2b-recidive {
type ipv4_addr
elements = { 103.235.170.195, 159.203.32.71, 49.232.42.135, 84.201.160.12, 124.153.75.28, 49.234.99.246, 49.234.115.143, 111.231.144.219, 37.139.0.226, 118.24.74.84, 111.231.69.18, 194.143.231.202, 139.155.118.190, 106.12.60.185, 203.189.202.228, 212.64.29.199, 140.143.183.71, 198.1.65.159, 45.184.225.2, 175.140.23.240, 210.202.8.64, 106.13.2.130, 222.186.180.130, 192.163.207.48, 177.38.165.131, 165.227.211.13, 88.88.112.98, 27.254.46.67, 186.64.122.117, 213.32.92.57, 185.38.3.138, 122.51.37.26, 178.128.117.55, 43.243.128.213, 118.24.23.196, 139.59.57.242, 222.186.175.167, 198.23.251.238, 106.13.4.250, 182.61.44.136, 122.154.251.22, 58.56.164.66, 182.61.54.106, 162.243.50.8, 103.36.84.100, 51.38.71.36, 194.152.206.93, 190.64.137.171, 211.26.187.128, 190.111.115.90, 80.51.146.16, 101.230.236.177, 129.204.94.79, 106.75.71.9, 95.243.136.198, 122.180.48.29, 104.236.176.175, 129.204.23.5, 178.128.247.181, 187.188.193.211, 185.244.167.52, 211.25.119.131, 129.28.198.22, 120.92.133.32, 49.233.46.219, 177.74.61.241, 121.164.31.163, 167.71.179.114, 220.158.148.132, 222.186.15.158, 101.110.47.172, 203.194.53.214, 159.89.100.75, 51.38.234.224, 121.133.108.111, 103.10.30.204, 182.61.132.207, 190.61.60.66, 159.203.111.100, 106.12.180.216, 106.13.83.251, 178.62.181.74, 186.67.248.8, 5.253.62.168, 62.234.74.29, 178.62.90.135, 5.196.140.219, 106.245.255.19, 222.186.173.226, 118.126.112.116, 190.117.62.241, 189.90.255.173, 157.230.129.73, 157.230.226.7, 124.171.10.135, 222.186.42.155, 115.159.237.70, 203.148.53.227, 129.204.202.89, 179.233.22.90, 104.248.205.67, 220.130.178.36, 161.117.176.196, 187.162.73.164, 5.135.146.51, 101.91.242.119, 99.242.114.107, 175.140.23.248, 128.199.167.233, 4.14.65.34, 61.153.189.140, 61.69.254.46, 49.235.199.178, 77.138.254.154, 54.37.66.54, 187.32.227.205, 51.38.176.147, 79.1.80.83, 51.75.153.255, 51.75.23.173, 46.101.187.76, 139.59.169.37, 189.126.72.41, 202.129.210.59, 213.32.91.37, 139.219.15.116, 51.83.41.120, 129.211.147.123, 120.70.101.46, 86.57.217.241, 218.92.0.145, 129.204.37.181, 118.25.106.66, 92.222.92.114, 54.38.139.210, 124.156.218.80}
}
chain input {
type filter hook input priority 100; policy accept;
ip protocol ip-255 ip saddr @f2b-recidive drop
tcp dport { ssh} ip saddr @f2b-sshd drop
}
}
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
ip saddr 1.0.0.1 tcp dport domain counter packets 0 bytes 0 accept
ip saddr 1.0.0.1 udp dport domain counter packets 0 bytes 0 accept
ip saddr 1.1.1.1 tcp dport domain counter packets 0 bytes 0 accept
ip saddr 1.1.1.1 udp dport domain counter packets 0 bytes 0 accept
ip saddr 8.8.4.4 tcp dport domain counter packets 0 bytes 0 accept
ip saddr 8.8.4.4 udp dport domain counter packets 0 bytes 0 accept
ip saddr 8.8.8.8 tcp dport domain counter packets 0 bytes 0 accept
ip saddr 8.8.8.8 udp dport domain counter packets 0 bytes 0 accept
ip saddr 9.9.9.9 tcp dport domain counter packets 0 bytes 0 accept
ip saddr 9.9.9.9 udp dport domain counter packets 0 bytes 0 accept
ip saddr 34.248.0.0/13 tcp dport 32400 counter packets 11 bytes 1491 accept
ip saddr 52.218.212.19 tcp dport smtp counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/21 tcp dport 7878 counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/21 tcp dport 8989 counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/21 tcp dport 32400 counter packets 123182 bytes 10673240 accept
ip saddr 192.168.0.0/21 tcp dport domain counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/21 tcp dport http counter packets 915 bytes 70167 accept
ip saddr 192.168.0.0/21 tcp dport https counter packets 27733 bytes 5142575 accept
ip saddr 192.168.0.0/21 tcp dport ssh counter packets 7038 bytes 477632 accept
ip saddr 192.168.0.0/21 udp dport domain counter packets 5714 bytes 392791 accept
ip saddr 192.168.0.0/21 udp dport ssh counter packets 0 bytes 0 accept
ip saddr 193.35.234.21 tcp dport 3389-3390 counter packets 0 bytes 0 accept
ip saddr 193.35.234.21 tcp dport http counter packets 0 bytes 0 accept
ip saddr 193.35.234.21 tcp dport https counter packets 0 bytes 0 accept
ip saddr 193.35.234.21 tcp dport ssh counter packets 0 bytes 0 accept
ip saddr 193.35.234.68 tcp dport 3389-3390 counter packets 0 bytes 0 accept
ip saddr 193.35.234.68 tcp dport http counter packets 0 bytes 0 accept
ip saddr 193.35.234.68 tcp dport https counter packets 0 bytes 0 accept
ip saddr 193.35.234.68 tcp dport ssh counter packets 0 bytes 0 accept
ip saddr 193.35.235.117 tcp dport 3389-3390 counter packets 0 bytes 0 accept
ip saddr 193.35.235.117 tcp dport http counter packets 0 bytes 0 accept
ip saddr 193.35.235.117 tcp dport https counter packets 0 bytes 0 accept
ip saddr 193.35.235.117 tcp dport ssh counter packets 0 bytes 0 accept
tcp dport != ssh
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip anti-infringement {
set anti-infringment {
type ipv4_addr
flags interval
elements = { 1.0.128.0/17, 1.1.128.0/17, 1.2.128.0/17, ... 223.243.112.129, 223.244.223.89, 223.245.0.0-223.247.255.255}
}
chain input {
type filter hook input priority 200; policy accept;
ip saddr @anti-infringment log prefix "Anti-Infringment: " drop
}
}
table ip squid-torrent-trackers {
set squid-torrent-trackers {
type ipv4_addr
flags interval
elements = { 1.1.1.1, 5.9.59.55, 5.9.67.116, ... 222.111.176.231, 222.122.47.136, 222.122.205.133}
}
chain input {
type filter hook input priority 200; policy accept;
ip saddr @squid-torrent-trackers log prefix "Squid TorrentTrackers: " drop
}
}
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
01-04-2020, 02:01 PM
#2
LQ Veteran
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,732
All times are GMT -5. The time now is 10:47 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News