/geo-nft

Bash script to create nftables sets of country specific IP address ranges for use with firewall rulesets. The project provides a simple and flexible way to implement geolocation filtering with nftables. It can be a useful tool to reduce the chance of malware, ransomware and phishing attempts as well as mitigating the effects of DDoS attacks.

Primary LanguageShellGNU General Public License v2.0GPL-2.0

Geolocation for nftables

Introduction

   Geolocation for nftables is a Bash script to create nftables sets of country specific IP address ranges for use with firewall rulesets. The project provides a simple and flexible way to implement geolocation filtering with nftables. It can be a useful tool to reduce the chance of malware, ransomware and phishing attempts as well as mitigating the effects of DDoS attacks.

Features

  • A script written for the widely used Bash shell.
  • Easy to set up, configure and customize with source code that's heavily commented.
  • Uses the free geolocation database from db-ip.com (no EULA to accept).
  • Automatically generates country-specific nftables address range sets.
  • The script has a small memory footprint to run well on systems with limited RAM. A flexible configuration allows loading only minimum sets required if memory is tight.
  • User settings are stored in a standard configuration file rather than using command line arguments.
  • Packets can be geolocation filtered with a single nftables rule rather than two rules to mark and match packets like nftables map based solutions.
  • The script allows access to all of the valid country code address ranges in the database.
  • Automatically determines your installed version of nftables and recommends the correct "include" statements for your ruleset. The script also creates "include-all" files to allow you to include all geolocation sets with a single reference on older versions of nftables that don't support include wildcards.
  • The User Guide explains how to define all element definitions for geolocation sets in one file, eliminating the chance of having out-of-sync definitions in multiple files when flushing and refilling sets with new data.
  • Simplified directory structure to shorten "include" path names.
  • The script creates ~500 IPv4 and IPv6 set files from the geolocation database in about 11 seconds on a low power quad-core 2200ge server with SSD storage.
  • Tested on Ubuntu Server, Fedora Server, and Raspberry Pi OS.

If you find Geolocation for nftables useful, please consider giving us a Star at the top of the page.

Getting Started

Documentation

Please see the Wiki for the latest documentation.

Installation

The Installation Guide has detailed installation instructions to get you up and running.

Usage

The User Guide explains how to configure your ruleset for geolocation filtering. The Guide now contains a troubleshooting section to ease setup.

Dependencies

Bash 4.0 or newer.
nftables v0.9.0 or newer.
awk, curl, grep, gunzip, sed, sort, stat

Discussions

Please see our Discussions Page to ask for help, share ideas, or for questions about the project.

Around the Web

Feature Article - LinuxSecurity.com - Geolocation for nftables Brings Simplicity & Flexibility to Geolocation Matching

Slashdot.org - Should You Block Connections to Your Network From Foreign Countries?

License

Geolocation for nftables is licensed under the GNU GPLv2 (or at your option, any later version).

Contributing

  • You can help us by spreading the good word about the project online.
  • Please see the Contributing Guide for more information on how you can help.
  • If you're a package maintainer, feel free to contact us if you have any questions.

Credits

Maintainer

Please see the Geolocation for nftables Copyright Notice.
Special thanks to the nftables project for creating a robust firewall framework.
IP Geolocation by DB-IP - https://db-ip.com
Raspberry Pi is a trademark of the Raspberry Pi Foundation.
Photos used to create the header image courtesy of NASA Visible Earth.
All trademarks, logos and copyrights are the property of their respective owners.

Resources

https://netfilter.org/projects/nftables/
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
http://netfilter.org/mailinglists.html#ml-user
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
https://db-ip.com/db/lite.php
https://db-ip.com/faq.php
https://linuxsecurity.com/
https://wiki.archlinux.org/title/Nftables
https://unstats.un.org/unsd/methodology/m49/overview