How do I block IPs from a certain country with nftables?
Linode
Linode Staff
I'm seeing a lot of attacks lately from a specific country, and I'd like to be able to block all of its IP addresses using nftables.
3 Replies
tommydavidson
Linode Staff
I wasn't able to find any instructions on how to do this manually using nftables specifically, although I did come across this python script on GitHub which does exactly that. It's worth noting that IP geolocation is not always accurate, as the databases rely on the owners of the addresses to ensure that the locations are accurately recorded. Because of this, it's possible to accidentally block legitimate traffic in an instance where this information is not kept fully up to date.
It may worth considering instead using a service like Fail2Ban to automatically block any IPs it detects using automated intrusion techniques. This way, you can avoid inadvertently blocking traffic you do want getting to your Linode.
You can't. You can however, block lists of networks and addresses with a single rule. Because the kernel evaluates a packet against nftables/iptables rules from top to bottom, the rules featuring your lists need to always be at the top (ditto for lists created/maintained by fail2ban(1)).
You also need to have some automatic mechanism for creating/updating these lists…maintaining them manually is never going to work.
See my response here:
This is a constant battle!
-- sw
bshoemaker
Linode Staff
In addition to using tools like nftables and fail2ban with geoiplookup, it is also possible to mitigate traffic at the application level.
There are some drawbacks. While utilizing application blocklisting may be more convenient, it may not be as effective as blocking traffic at the kernel level using nftables and fail2ban. It is also worth noting that blocking IP ranges based on geographical location can be easily circumvented via a proxy.
For more information on implementing geographical blocklists using applications, check out these guides: