No description
- Python 100%
| src/blocklist | ||
| .gitignore | ||
| .python-version | ||
| pyproject.toml | ||
| README.md | ||
| uv.lock | ||
blocklist
Update nftables blocklists with IP addresses from popular sources like Spamhaus and blocklist.de.
Features
- Fetches and parses IP blocklists from Spamhaus and blocklist.de.
- Collapses overlapping IP networks.
- Automatically generates and applies
nftablesscripts to update firewall sets. - Caches requests to minimize network traffic.
Installation
Clone this somewhere, and do uv sync to install dependencies and create the cli script.
Usage
First, you need to create the andy-blocklist table in /etc/nftables.conf
table inet andy-blocklist {
set allowlist4 {
type ipv4_addr
flags interval
auto-merge
# put your own admin/management IPs here so a bad feed can't lock you out
elements = { 127.0.0.1, 10.7.0.0/24 }
}
set allowlist6 {
type ipv6_addr
flags interval
auto-merge
# put your own admin/management IPs here so a bad feed can't lock you out
elements = { ::1 }
}
set blocklist4 {
type ipv4_addr
flags interval
auto-merge
}
set blocklist6 {
type ipv6_addr
flags interval
auto-merge
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
ip saddr @allowlist4 accept
ip6 saddr @allowlist6 accept
# I don't want to get locked out of my server
tcp dport 22 accept
ip saddr @blocklist4 counter drop
ip6 saddr @blocklist6 counter drop
}
}
Run systemctl restart nftables to apply the above. Then run the blocklist command as root:
sudo /path/to/project/.venv/bin/blocklist
or put it in your crontab; spamhaus updates daily, blocklist updates more frequently; running once a day should be fine, but it's up to you.
You can also use the --dry-run flag to see the generated nftables script without applying it.
Dependencies
cyclopts: CLI argument parsingoxl-libnftables: Interaction with nftablesrequests-cache: Request cachingstructlog: Structured logging