How to block an country with NFTables and db ip

How to block an country with NFTables and db ip

It can be useful in order to reduce the surface attack by allow only one or several countries to access to your web site. I manage a site which has an exclusively public in France. The server I use is a Debian 10 with Nftables as firewall. I have searched for a long time on the web an easy and fast solution, Nftables being recent, and the most of sites deals with Iptables, IP database maxmind with the mmdb format to convert…
I will explain in this post how to configure Nftables with the geoip database DB-IP which can be updated for free every month.

configuration db geoip

First we will clone the repo from github.

git clone https://github.com/JMGuisadoG/nftables-geoip

We run the script in the directory

cd nftables-geoip
./nft_geoip.py --file-location location.csv --download

The script has generated several files with nft format as well the IP database with csv format

Configuration Nftables

Then, we will create a directory nftables in /etc to store the useful files

sudo mkdir /etc/nftables
sudo mv geoip-ipv4.nft /etc/nftables
sudo mv geoip-def-all.nft /etc/nftables

As mentioned on the github “It is not possible to use the country definitions inside an interactive nft shell“. We have to modify the configuration file of Ntables (/etc/nftables.conf )

table inet filter {

        include "/etc/nftables/geoip-def-all.nft"
        include "/etc/nftables/geoip-ipv4.nft"
        include "/etc/nftables/geoip-ipv6.nft"

        chain output {
                type filter hook output priority filter; policy accept;
        }

        chain input {
                type filter hook input priority filter; policy accept;
                meta mark set ip saddr map @geoip4
                meta mark set ip6 saddr map @geoip6
                meta mark $FR tcp dport 443 accept
                tcp dport 443 drop
        }
}

The parameter include allow to load the geoip databases. At beginning, I used the cloned directory in home but it does not work. So I create the directory nftables in /etc .
meta mark set ip : allow to mark the inbound packets with their country code.
meta mark $FR allow to apply the NTables arguments on the packets marked FR.
For the example, I allow all the packets from France with the destination port 443. You can adapt to your configuration.

Official nftables site

SEE TOO Crowdsec Installation on rpi3 with DietPi / Raspberry OS

Leave a Reply

Your email address will not be published. Required fields are marked *