Skip to content

Using nftables

Jump to bottom
François KUBLER edited this page Jun 21, 2018 · 2 revisions

The following document should help you configure nftables so that Ellis can interact with it via the nftables.ban Action.

Disclaimer

WARNING: make sure you know what you do !

Building a complete ruleset for your firewall is out of the scope of this documentation. We consider that you have an existing, working ruleset and that you know what you do.

Please also note that the given commands/configuration examples are given as hints. You may have to adjust them to fit your existing setup and needs.

Setting up nftables

Creating nftables sets

Ellis requires two named sets to ban IP addresses: one for the IPv4 addresses and the other for IPv6 addresses. These two sets are configured with a default timeout. When an IP address is added to the set, the timeout starts to decrease. Once it reaches zero, the IP address is automatically removed from the set (and thus, unbanned).

Please note that you have to respect the names of the sets.

To create the two needed named sets, run the following as root:

nft add set [<table_family>] <table> ellis_blacklist4 { type ipv4_addr\; timeout 7d\; }
nft add set [<table_family>] <table> ellis_blacklist6 { type ipv6_addr\; timeout 7d\; }

Notes:

  • Please replace <table> with the actual name of your table.
  • You may also have to specify the family of your table unless it's the default one (currently: ip).
  • Also adjust the timeout value to your needs.

Or add the following lines in the appropriate part of your nftables configuration file:

set ellis_blacklist4 {
    type ipv4_addr
    timeout 7d
}

set ellis_blacklist6 {
    type ipv6_addr
    timeout 7d
}

Adding filtering rules

Now that we have our sets to store the banned IP addresses, we just have to ask nftables to drop everything coming from addresses stored in these sets.

To do so, run the following as root:

nft add rule [<table_family>] <table> <chain> ip saddr @ellis_blacklist4 drop
nft add rule [<table_family>] <table> <chain> ip6 saddr @ellis_blacklist6 drop

Notes:

  • Please replace <table> and <chain> with the actual names of your table and chain.
  • You may also have to specify the family of your table unless it's the default one (currently: ip).

Or add the following lines in the appropriate part of your nftables configuration file:

chain <chain> {
    // [...] Some rules
    ip saddr @ellis_balcklist4 drop
    ip6 saddr @ellis_blacklist6 drop
    // [...] Some rules
}

Ellis | Copyright © 2016 François Kubler (@fkubler)

Getting started

Available Actions

Clone this wiki locally