Repository files navigation

   Geolocation for nftables is a Bash script to create nftables sets of country specific IP address ranges for use with firewall rulesets. The project provides a simple and flexible way to implement geolocation filtering withnftables. It can be a useful tool to reduce the chance of malware, ransomware and phishing attempts as well as mitigating the effects of DDoS attacks.

• A script written for the widely usedBash shell.
• Easy to set up, configure and customize with source code that's heavily commented.
• Uses the free geolocation database from db-ip.com (no EULA to accept).
• Automatically generates country-specific nftables address range sets.
• The script has a small memory footprint to run well on systems with limited RAM. A flexible configuration allows loading only minimum sets required if memory is tight.
• User settings are stored in a standard configuration file rather than using command line arguments.
• Packets can be geolocation filtered with a single nftables rule rather than two rules to mark and match packets like nftables map based solutions.
• The script allows access to all of the valid country code address ranges in the database.
• Automatically determines your installed version of nftables and recommends the correct "include" statements for your ruleset. The script also creates "include-all" files to allow you to include all geolocation sets with a single reference on older versions of nftables that don't support include wildcards.
• TheUser Guide explains how to define all element definitions for geolocation sets in one file, eliminating the chance of having out-of-sync definitions in multiple files when flushing and refilling sets with new data.
• Simplified directory structure to shorten "include" path names.
• The script creates ~500 IPv4 and IPv6 set files from the geolocation database in about 11 seconds on a low power quad-core 2200ge server with SSD storage.
• Tested onUbuntu Server,Fedora Server, andRaspberry Pi OS.

If you findGeolocation for nftables useful, please consider giving us aStar at the top of the page.

Please see theWiki for the latest documentation.

TheInstallation Guide has detailed installation instructions to get you up and running.

TheUser Guide explains how to configure your ruleset for geolocation filtering. The Guide now contains atroubleshooting section to ease setup.

Bash 4.0 or newer.
nftables v0.9.0 or newer.
awk, curl, grep, gunzip, sed, sort, stat

Please see ourDiscussions Page to ask for help, share ideas, or for questions about the project.

Feature Article - LinuxSecurity.com -Geolocation for nftables Brings Simplicity & Flexibility to Geolocation Matching

Slashdot.org -Should You Block Connections to Your Network From Foreign Countries?

Geolocation for nftables is licensed under theGNU GPLv2 (or at your option, any later version).

• You can help us by spreading the good word about the project online.
• Please see theContributing Guide for more information on how you can help.
• If you're a package maintainer, feel free to contact us if you have any questions.

• Wirefalls -GitHub.com/wirefalls

Please see theGeolocation for nftablesCopyright Notice.
Special thanks to thenftables project for creating a robust firewall framework.
IP Geolocation by DB-IP - https://db-ip.com
Raspberry Pi is a trademark of theRaspberry Pi Foundation.
Photos used to create the header image courtesy ofNASA Visible Earth.
All trademarks, logos and copyrights are the property of their respective owners.

https://netfilter.org/projects/nftables/
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
http://netfilter.org/mailinglists.html#ml-user
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
https://db-ip.com/db/lite.php
https://db-ip.com/faq.php
https://linuxsecurity.com/
https://wiki.archlinux.org/title/Nftables
https://unstats.un.org/unsd/methodology/m49/overview