Script / daemon to blocking IP in nftables by country and black lists.
- download publicly available blacklists and block IPs from them,
- block or whitelist individual countries,
- whitelist individual networks or IP addresses,
- IP versions supported (ipv4, ipv6),
- blocking policy (reject, drop,)
- network or IP addresses for the white list,
- blacklist url addresses,
- block oututput connections to blacklisted IPs,
- list of countries,
- policy for countries (accept, block),
- ports excluded from country blocks
- nftables
- python 3.8+
- python3-jinja2
- python3-pyyaml
- python3-systemd
- systemd (for daemon)
/usr/local/bin/nft-blackhole.py
/usr/local/share/nft-blackhole/nft-blackhole.j2
/usr/local/etc/nft-blackhole.yaml
/usr/local/lib/systemd/system/nft-blackhole.service
/usr/local/lib/systemd/system/nft-blackhole-reload.service
/usr/local/lib/systemd/system/nft-blackhole-reload.timer
/usr/local/etc/nft-blackhole.yaml
/usr/local/bin/nft-blackhole.py start
/usr/local/bin/nft-blackhole.py reload
/usr/local/bin/nft-blackhole.py restart
/usr/local/bin/nft-blackhole.py stop
systemctl enable nft-blackhole.service
systemctl start nft-blackhole.service
systemctl reload nft-blackhole.service
systemctl restart nft-blackhole.service
nft list chain inet blackhole input
nft list table inet blackhole
/usr/local/bin/nft-blackhole.py reload
systemctl reload nft-blackhole.service
0 */6 * * * systemctl reload nft-blackhole.service
systemctl enable --now nft-blackhole-reload.timer
systemctl list-timers --all
country-ip-blocks - CIDR country-level IP lists,
https://iplists.firehol.org/ - aggregated, publicly available blacklists
Code released under MIT license.