roles/common: Use AbuseIPDB.com list in nftables

For now I am still manually updating this, as we can only hit their API five times per day, so it is not possible to have each host get the list themselves every day with our one API key.
2021-07-31 21:46:50 +03:00 · 2021-07-31 21:46:50 +03:00 · a67d901641
commit a67d901641
parent 7ae100faeb
5 changed files with 10032 additions and 0 deletions
--- a/roles/common/files/abuseipdb-ipv4.nft
+++ b/roles/common/files/abuseipdb-ipv4.nft
--- a/roles/common/files/abuseipdb-ipv6.nft
+++ b/roles/common/files/abuseipdb-ipv6.nft
@ -0,0 +1,14 @@
+#!/usr/sbin/nft -f
+
+define ABUSEIPDB_IPV6 = {
+2001:41d0:8:8c1::,
+2400:6180:0:d1::8c9:8001,
+2607:5300:203:3b58::,
+2607:f298:5:102f::97c:9b51,
+2607:f298:5:103f::cf7:8a8e,
+2607:f298:5:6000::f25:8518,
+2607:f298:6:a016::448:ebe6,
+2607:f298:6:a034::eb5:2e70,
+2a00:d680:20:50::68b6,
+2a06:41c0:0:1::e4ca:8524,
+}
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@ -41,6 +41,8 @@
      - spamhaus-ipv4.nft
      - spamhaus-ipv6.nft
      - abusech-ipv4.nft
+      - abuseipdb-ipv4.nft
+      - abuseipdb-ipv6.nft
    notify:
      - reload nftables

--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@ -47,6 +47,8 @@
      - spamhaus-ipv4.nft
      - spamhaus-ipv6.nft
      - abusech-ipv4.nft
+      - abuseipdb-ipv4.nft
+      - abuseipdb-ipv6.nft
    notify:
      - reload nftables

--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@ -9,6 +9,10 @@ flush ruleset
 include "/etc/nftables/spamhaus-ipv4.nft"
 include "/etc/nftables/spamhaus-ipv6.nft"

+# Lists updated monthly (manually)
+include "/etc/nftables/abuseipdb-ipv4.nft"
+include "/etc/nftables/abuseipdb-ipv6.nft"
+
 # Lists updated daily by update-abusech-nftables.sh
 include "/etc/nftables/abusech-ipv4.nft"

@ -34,6 +38,16 @@ table inet filter {
        elements = $ABUSECH_IPV4
    }

+    set abuseipdb-ipv4 {
+        type ipv4_addr
+        elements = $ABUSEIPDB_IPV4
+    }
+
+    set abuseipdb-ipv6 {
+        type ipv6_addr
+        elements = $ABUSEIPDB_IPV6
+    }
+
    chain input {
        type filter hook input priority 0;

@ -46,6 +60,9 @@ table inet filter {

        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"

+        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
+        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
+
        iifname lo accept comment "Allow from loopback"

        ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
@ -89,5 +106,8 @@ table inet filter {
        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"

        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
+
+        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
+        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
    }
 }