How to add accept exclusions using nftables

AndyPC · 01-03-2020, 04:48 AM

Hi there everyone. I'm basically trying to use some blocklists from Internet sources, but my problem is that some of these blocklists block IP addresses I want to use so I'm trying to put in ACCEPT exclusions (an example is Cloudflare DNS 1.1.1.1).

My blocklists are loaded into their own table, and the exclusions are in their own table. Any pointers anyone - I've trawled the Internet but can't find anything relevant or that I can understand.

I've only just started playing with nftables, so I can look to upgrade my Debian server to buster. hopefully I've pasted below a representation of my nftables ruleset as it is now (I've shortened the blocklists as they are large.

Code:

table ip fail2ban {
        set f2b-sshd {
                type ipv4_addr
                elements = { 218.92.0.148}
        }

        set f2b-recidive {
                type ipv4_addr
                elements = { 103.235.170.195, 159.203.32.71, 49.232.42.135, 84.201.160.12, 124.153.75.28, 49.234.99.246, 49.234.115.143, 111.231.144.219, 37.139.0.226, 118.24.74.84, 111.231.69.18, 194.143.231.202, 139.155.118.190, 106.12.60.185, 203.189.202.228, 212.64.29.199, 140.143.183.71, 198.1.65.159, 45.184.225.2, 175.140.23.240, 210.202.8.64, 106.13.2.130, 222.186.180.130, 192.163.207.48, 177.38.165.131, 165.227.211.13, 88.88.112.98, 27.254.46.67, 186.64.122.117, 213.32.92.57, 185.38.3.138, 122.51.37.26, 178.128.117.55, 43.243.128.213, 118.24.23.196, 139.59.57.242, 222.186.175.167, 198.23.251.238, 106.13.4.250, 182.61.44.136, 122.154.251.22, 58.56.164.66, 182.61.54.106, 162.243.50.8, 103.36.84.100, 51.38.71.36, 194.152.206.93, 190.64.137.171, 211.26.187.128, 190.111.115.90, 80.51.146.16, 101.230.236.177, 129.204.94.79, 106.75.71.9, 95.243.136.198, 122.180.48.29, 104.236.176.175, 129.204.23.5, 178.128.247.181, 187.188.193.211, 185.244.167.52, 211.25.119.131, 129.28.198.22, 120.92.133.32, 49.233.46.219, 177.74.61.241, 121.164.31.163, 167.71.179.114, 220.158.148.132, 222.186.15.158, 101.110.47.172, 203.194.53.214, 159.89.100.75, 51.38.234.224, 121.133.108.111, 103.10.30.204, 182.61.132.207, 190.61.60.66, 159.203.111.100, 106.12.180.216, 106.13.83.251, 178.62.181.74, 186.67.248.8, 5.253.62.168, 62.234.74.29, 178.62.90.135, 5.196.140.219, 106.245.255.19, 222.186.173.226, 118.126.112.116, 190.117.62.241, 189.90.255.173, 157.230.129.73, 157.230.226.7, 124.171.10.135, 222.186.42.155, 115.159.237.70, 203.148.53.227, 129.204.202.89, 179.233.22.90, 104.248.205.67, 220.130.178.36, 161.117.176.196, 187.162.73.164, 5.135.146.51, 101.91.242.119, 99.242.114.107, 175.140.23.248, 128.199.167.233, 4.14.65.34, 61.153.189.140, 61.69.254.46, 49.235.199.178, 77.138.254.154, 54.37.66.54, 187.32.227.205, 51.38.176.147, 79.1.80.83, 51.75.153.255, 51.75.23.173, 46.101.187.76, 139.59.169.37, 189.126.72.41, 202.129.210.59, 213.32.91.37, 139.219.15.116, 51.83.41.120, 129.211.147.123, 120.70.101.46, 86.57.217.241, 218.92.0.145, 129.204.37.181, 118.25.106.66, 92.222.92.114, 54.38.139.210, 124.156.218.80}
        }

        chain input {
                type filter hook input priority 100; policy accept;
                ip protocol ip-255 ip saddr @f2b-recidive drop
                tcp dport { ssh} ip saddr @f2b-sshd drop
        }
}
table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ip saddr 1.0.0.1 tcp dport domain counter packets 0 bytes 0 accept
                ip saddr 1.0.0.1 udp dport domain counter packets 0 bytes 0 accept
                ip saddr 1.1.1.1 tcp dport domain counter packets 0 bytes 0 accept
                ip saddr 1.1.1.1 udp dport domain counter packets 0 bytes 0 accept
                ip saddr 8.8.4.4 tcp dport domain counter packets 0 bytes 0 accept
                ip saddr 8.8.4.4 udp dport domain counter packets 0 bytes 0 accept
                ip saddr 8.8.8.8 tcp dport domain counter packets 0 bytes 0 accept
                ip saddr 8.8.8.8 udp dport domain counter packets 0 bytes 0 accept
                ip saddr 9.9.9.9 tcp dport domain counter packets 0 bytes 0 accept
                ip saddr 9.9.9.9 udp dport domain counter packets 0 bytes 0 accept
                ip saddr 34.248.0.0/13 tcp dport 32400 counter packets 11 bytes 1491 accept
                ip saddr 52.218.212.19 tcp dport smtp counter packets 0 bytes 0 accept
                ip saddr 192.168.0.0/21 tcp dport 7878 counter packets 0 bytes 0 accept
                ip saddr 192.168.0.0/21 tcp dport 8989 counter packets 0 bytes 0 accept
                ip saddr 192.168.0.0/21 tcp dport 32400 counter packets 123182 bytes 10673240 accept
                ip saddr 192.168.0.0/21 tcp dport domain counter packets 0 bytes 0 accept
                ip saddr 192.168.0.0/21 tcp dport http counter packets 915 bytes 70167 accept
                ip saddr 192.168.0.0/21 tcp dport https counter packets 27733 bytes 5142575 accept
                ip saddr 192.168.0.0/21 tcp dport ssh counter packets 7038 bytes 477632 accept
                ip saddr 192.168.0.0/21 udp dport domain counter packets 5714 bytes 392791 accept
                ip saddr 192.168.0.0/21 udp dport ssh counter packets 0 bytes 0 accept
                ip saddr 193.35.234.21 tcp dport 3389-3390 counter packets 0 bytes 0 accept
                ip saddr 193.35.234.21 tcp dport http counter packets 0 bytes 0 accept
                ip saddr 193.35.234.21 tcp dport https counter packets 0 bytes 0 accept
                ip saddr 193.35.234.21 tcp dport ssh counter packets 0 bytes 0 accept
                ip saddr 193.35.234.68 tcp dport 3389-3390 counter packets 0 bytes 0 accept
                ip saddr 193.35.234.68 tcp dport http counter packets 0 bytes 0 accept
                ip saddr 193.35.234.68 tcp dport https counter packets 0 bytes 0 accept
                ip saddr 193.35.234.68 tcp dport ssh counter packets 0 bytes 0 accept
                ip saddr 193.35.235.117 tcp dport 3389-3390 counter packets 0 bytes 0 accept
                ip saddr 193.35.235.117 tcp dport http counter packets 0 bytes 0 accept
                ip saddr 193.35.235.117 tcp dport https counter packets 0 bytes 0 accept
                ip saddr 193.35.235.117 tcp dport ssh counter packets 0 bytes 0 accept
                tcp dport != ssh
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip anti-infringement {
        set anti-infringment {
                type ipv4_addr
                flags interval
                elements = { 1.0.128.0/17, 1.1.128.0/17, 1.2.128.0/17, ... 223.243.112.129, 223.244.223.89, 223.245.0.0-223.247.255.255}
        }

        chain input {
                type filter hook input priority 200; policy accept;
                ip saddr @anti-infringment log prefix "Anti-Infringment: " drop
        }
}
table ip squid-torrent-trackers {
        set squid-torrent-trackers {
                type ipv4_addr
                flags interval
                elements = { 1.1.1.1, 5.9.59.55, 5.9.67.116, ... 222.111.176.231, 222.122.47.136, 222.122.205.133}
        }

        chain input {
                type filter hook input priority 200; policy accept;
                ip saddr @squid-torrent-trackers log prefix "Squid TorrentTrackers: " drop
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

scasey · 01-04-2020, 02:01 PM

Dup of https://www.linuxquestions.org/quest...ed-4175667009/
which see.

Reported