roles/common: Use AbuseIPDB.com list in nftables

For now I am still manually updating this, as we can only hit their
API five times per day, so it is not possible to have each host get
the list themselves every day with our one API key.
This commit is contained in:
Alan Orth 2021-07-31 21:46:50 +03:00
parent 7ae100faeb
commit a67d901641
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
5 changed files with 10032 additions and 0 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,14 @@
#!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = {
2001:41d0:8:8c1::,
2400:6180:0:d1::8c9:8001,
2607:5300:203:3b58::,
2607:f298:5:102f::97c:9b51,
2607:f298:5:103f::cf7:8a8e,
2607:f298:5:6000::f25:8518,
2607:f298:6:a016::448:ebe6,
2607:f298:6:a034::eb5:2e70,
2a00:d680:20:50::68b6,
2a06:41c0:0:1::e4ca:8524,
}

View File

@ -41,6 +41,8 @@
- spamhaus-ipv4.nft - spamhaus-ipv4.nft
- spamhaus-ipv6.nft - spamhaus-ipv6.nft
- abusech-ipv4.nft - abusech-ipv4.nft
- abuseipdb-ipv4.nft
- abuseipdb-ipv6.nft
notify: notify:
- reload nftables - reload nftables

View File

@ -47,6 +47,8 @@
- spamhaus-ipv4.nft - spamhaus-ipv4.nft
- spamhaus-ipv6.nft - spamhaus-ipv6.nft
- abusech-ipv4.nft - abusech-ipv4.nft
- abuseipdb-ipv4.nft
- abuseipdb-ipv6.nft
notify: notify:
- reload nftables - reload nftables

View File

@ -9,6 +9,10 @@ flush ruleset
include "/etc/nftables/spamhaus-ipv4.nft" include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft" include "/etc/nftables/spamhaus-ipv6.nft"
# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"
# Lists updated daily by update-abusech-nftables.sh # Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft" include "/etc/nftables/abusech-ipv4.nft"
@ -34,6 +38,16 @@ table inet filter {
elements = $ABUSECH_IPV4 elements = $ABUSECH_IPV4
} }
set abuseipdb-ipv4 {
type ipv4_addr
elements = $ABUSEIPDB_IPV4
}
set abuseipdb-ipv6 {
type ipv6_addr
elements = $ABUSEIPDB_IPV6
}
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0;
@ -46,6 +60,9 @@ table inet filter {
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list" ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
iifname lo accept comment "Allow from loopback" iifname lo accept comment "Allow from loopback"
ip protocol icmp limit rate 4/second accept comment "Allow ICMP" ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
@ -89,5 +106,8 @@ table inet filter {
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list" ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list" ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
} }
} }