Forem: Gluecode The latest articles on Forem by Gluecode (@gluecode). https://forem.com/gluecode https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1994150%2F1ad15ea5-2108-4ec3-af31-2f4a1f5a89ad.png Forem: Gluecode https://forem.com/gluecode en Easy way to geo-fence your cloud VPS with nftables Gluecode Wed, 28 Aug 2024 22:07:10 +0000 https://forem.com/gluecode/easy-way-to-geo-fence-your-cloud-vps-with-nftables-2ee1 https://forem.com/gluecode/easy-way-to-geo-fence-your-cloud-vps-with-nftables-2ee1 <p>In times when the internet is full of shitty traffic like port scanners, bots, brute forces, script kiddies and lots of scrapers - irrelevant countries for which you most likely do not want to offer your service and from which a lot of stupid traffic comes should be filtered out by default in order to minimize risks. </p> <p>I often block everything on the relevant ports such as SSH (port 22) except my fixed IP address. Let's say you don't have a fixed IP available and still want to limit the possible sources for your cloud VPS. For example, you can say "I only allow connections from Germany" for my SSH port. How? I'll show you now!</p> <p>I use debian / ubuntu based server. We fully rely on standard which are all available in the standard apt. As geo-fence firewall we use <a href="https://wiki.nftables.org/" rel="noopener noreferrer">nftables</a>.</p> <p>Install all packages we need on your server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>nftables python3 git </code></pre> </div> <h2> Get IP address definition and keep it up to date </h2> <p>First we need the definitions of IP address ranges, which are assigned to the countries. Thank god (🙏) someone has already done the work, and so we can use the following git repo <a href="https://github.com/pvxe/nftables-geoip" rel="noopener noreferrer">pvxe/nftables-geoip</a> to map all IP addresses to countries via the db-ip.com service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/pvxe/nftables-geoip cd nftables-geoip </code></pre> </div> <p>Download all IP definitions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 nft_geoip.py --download --file-location location.csv </code></pre> </div> <h3> Make the downloads includeable </h3> <p>Now we need to find out the import path of nftables. The easiest way is to type the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nft --help </code></pre> </div> <p>In the output check the line:<br> -I, --includepath Add to the paths searched for include files. <strong>Default is: /etc</strong></p> <p>You will find here the default include path. Copy the following downloaded files there:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cp geoip-def-all.nft /etc/ cp geoip-ipv4.nft /etc/ cp geoip-ipv6.nft /etc/ </code></pre> </div> <p><em>Replace /etc/ with your include path if needed.</em></p> <p>Later, a cronjob bash-script should be implemented here that regularly updates the definitions.</p> <h2> Define nftables filter file </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nano /etc/nftables.conf </code></pre> </div> <p>Replace the default config with the following.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/sbin/nft -f</span> flush ruleset table inet filter <span class="o">{</span> include <span class="s2">"geoip-def-all.nft"</span> include <span class="s2">"geoip-ipv4.nft"</span> include <span class="s2">"geoip-ipv6.nft"</span> <span class="c"># all countries</span> define allcountries <span class="o">=</span> <span class="o">{</span> <span class="nv">$AF</span> ,<span class="nv">$AX</span> ,<span class="nv">$AL</span> ,<span class="nv">$DZ</span> ,<span class="nv">$AS</span> ,<span class="nv">$AD</span> ,<span class="nv">$AO</span> ,<span class="nv">$AI</span> ,<span class="nv">$AQ</span> ,<span class="nv">$AG</span> ,<span class="nv">$AR</span> ,<span class="nv">$AM</span> ,<span class="nv">$AW</span> ,<span class="nv">$AU</span> ,<span class="nv">$AT</span> ,<span class="nv">$AZ</span> ,<span class="nv">$BS</span> ,<span class="nv">$BH</span> ,<span class="nv">$BD</span> ,<span class="nv">$BB</span> ,<span class="nv">$BY</span> ,<span class="nv">$BE</span> ,<span class="nv">$BZ</span> ,<span class="nv">$BJ</span> ,<span class="nv">$BM</span> ,<span class="nv">$BT</span> ,<span class="nv">$BO</span> ,<span class="nv">$BQ</span> ,<span class="nv">$BA</span> ,<span class="nv">$BW</span> ,<span class="nv">$BV</span> ,<span class="nv">$BR</span> ,<span class="nv">$IO</span> ,<span class="nv">$BN</span> ,<span class="nv">$BG</span> ,<span class="nv">$BF</span> ,<span class="nv">$BI</span> ,<span class="nv">$CV</span> ,<span class="nv">$KH</span> ,<span class="nv">$CM</span> ,<span class="nv">$CA</span> ,<span class="nv">$KY</span> ,<span class="nv">$CF</span> ,<span class="nv">$TD</span> ,<span class="nv">$CL</span> ,<span class="nv">$CN</span> ,<span class="nv">$CX</span> ,<span class="nv">$CC</span> ,<span class="nv">$CO</span> ,<span class="nv">$KM</span> ,<span class="nv">$CG</span> ,<span class="nv">$CD</span> ,<span class="nv">$CK</span> ,<span class="nv">$CR</span> ,<span class="nv">$CI</span> ,<span class="nv">$HR</span> ,<span class="nv">$CU</span> ,<span class="nv">$CW</span> ,<span class="nv">$CY</span> ,<span class="nv">$CZ</span> ,<span class="nv">$DK</span> ,<span class="nv">$DJ</span> ,<span class="nv">$DM</span> ,<span class="nv">$DO</span> ,<span class="nv">$EC</span> ,<span class="nv">$EG</span> ,<span class="nv">$SV</span> ,<span class="nv">$GQ</span> ,<span class="nv">$ER</span> ,<span class="nv">$EE</span> ,<span class="nv">$SZ</span> ,<span class="nv">$ET</span> ,<span class="nv">$FK</span> ,<span class="nv">$FO</span> ,<span class="nv">$FJ</span> ,<span class="nv">$FI</span> ,<span class="nv">$FR</span> ,<span class="nv">$GF</span> ,<span class="nv">$PF</span> ,<span class="nv">$TF</span> ,<span class="nv">$GA</span> ,<span class="nv">$GM</span> ,<span class="nv">$GE</span> ,<span class="nv">$DE</span> ,<span class="nv">$GH</span> ,<span class="nv">$GI</span> ,<span class="nv">$GR</span> ,<span class="nv">$GL</span> ,<span class="nv">$GD</span> ,<span class="nv">$GP</span> ,<span class="nv">$GU</span> ,<span class="nv">$GT</span> ,<span class="nv">$GG</span> ,<span class="nv">$GN</span> ,<span class="nv">$GW</span> ,<span class="nv">$GY</span> ,<span class="nv">$HT</span> ,<span class="nv">$HM</span> ,<span class="nv">$VA</span> ,<span class="nv">$HN</span> ,<span class="nv">$HK</span> ,<span class="nv">$HU</span> ,<span class="nv">$IS</span> ,<span class="nv">$IN</span> ,<span class="nv">$ID</span> ,<span class="nv">$IR</span> ,<span class="nv">$IQ</span> ,<span class="nv">$IE</span> ,<span class="nv">$IM</span> ,<span class="nv">$IL</span> ,<span class="nv">$IT</span> ,<span class="nv">$JM</span> ,<span class="nv">$JP</span> ,<span class="nv">$JE</span> ,<span class="nv">$JO</span> ,<span class="nv">$KZ</span> ,<span class="nv">$KE</span> ,<span class="nv">$KI</span> ,<span class="nv">$KP</span> ,<span class="nv">$KR</span> ,<span class="nv">$KW</span> ,<span class="nv">$KG</span> ,<span class="nv">$LA</span> ,<span class="nv">$LV</span> ,<span class="nv">$LB</span> ,<span class="nv">$LS</span> ,<span class="nv">$LR</span> ,<span class="nv">$LY</span> ,<span class="nv">$LI</span> ,<span class="nv">$LT</span> ,<span class="nv">$LU</span> ,<span class="nv">$MO</span> ,<span class="nv">$MG</span> ,<span class="nv">$MW</span> ,<span class="nv">$MY</span> ,<span class="nv">$MV</span> ,<span class="nv">$ML</span> ,<span class="nv">$MT</span> ,<span class="nv">$MH</span> ,<span class="nv">$MQ</span> ,<span class="nv">$MR</span> ,<span class="nv">$MU</span> ,<span class="nv">$YT</span> ,<span class="nv">$MX</span> ,<span class="nv">$FM</span> ,<span class="nv">$MD</span> ,<span class="nv">$MC</span> ,<span class="nv">$MN</span> ,<span class="nv">$ME</span> ,<span class="nv">$MS</span> ,<span class="nv">$MA</span> ,<span class="nv">$MZ</span> ,<span class="nv">$MM</span> ,<span class="nv">$NA</span> ,<span class="nv">$NR</span> ,<span class="nv">$NP</span> ,<span class="nv">$NL</span> ,<span class="nv">$NC</span> ,<span class="nv">$NZ</span> ,<span class="nv">$NI</span> ,<span class="nv">$NE</span> ,<span class="nv">$NG</span> ,<span class="nv">$NU</span> ,<span class="nv">$NF</span> ,<span class="nv">$MK</span> ,<span class="nv">$MP</span> ,<span class="nv">$NO</span> ,<span class="nv">$OM</span> ,<span class="nv">$PK</span> ,<span class="nv">$PW</span> ,<span class="nv">$PS</span> ,<span class="nv">$PA</span> ,<span class="nv">$PG</span> ,<span class="nv">$PY</span> ,<span class="nv">$PE</span> ,<span class="nv">$PH</span> ,<span class="nv">$PN</span> ,<span class="nv">$PL</span> ,<span class="nv">$PT</span> ,<span class="nv">$PR</span> ,<span class="nv">$QA</span> ,<span class="nv">$RE</span> ,<span class="nv">$RO</span> ,<span class="nv">$RU</span> ,<span class="nv">$RW</span> ,<span class="nv">$BL</span> ,<span class="nv">$SH</span> ,<span class="nv">$KN</span> ,<span class="nv">$LC</span> ,<span class="nv">$MF</span> ,<span class="nv">$PM</span> ,<span class="nv">$VC</span> ,<span class="nv">$WS</span> ,<span class="nv">$SM</span> ,<span class="nv">$ST</span> ,<span class="nv">$SA</span> ,<span class="nv">$SN</span> ,<span class="nv">$RS</span> ,<span class="nv">$SC</span> ,<span class="nv">$SL</span> ,<span class="nv">$SG</span> ,<span class="nv">$SX</span> ,<span class="nv">$SK</span> ,<span class="nv">$SI</span> ,<span class="nv">$SB</span> ,<span class="nv">$SO</span> ,<span class="nv">$ZA</span> ,<span class="nv">$GS</span> ,<span class="nv">$SS</span> ,<span class="nv">$ES</span> ,<span class="nv">$LK</span> ,<span class="nv">$SD</span> ,<span class="nv">$SR</span> ,<span class="nv">$SJ</span> ,<span class="nv">$SE</span> ,<span class="nv">$CH</span> ,<span class="nv">$SY</span> ,<span class="nv">$TW</span> ,<span class="nv">$TJ</span> ,<span class="nv">$TZ</span> ,<span class="nv">$TH</span> ,<span class="nv">$TL</span> ,<span class="nv">$TG</span> ,<span class="nv">$TK</span> ,<span class="nv">$TO</span> ,<span class="nv">$TT</span> ,<span class="nv">$TN</span> ,<span class="nv">$TR</span> ,<span class="nv">$TM</span> ,<span class="nv">$TC</span> ,<span class="nv">$TV</span> ,<span class="nv">$UG</span> ,<span class="nv">$UA</span> ,<span class="nv">$AE</span> ,<span class="nv">$GB</span> ,<span class="nv">$US</span> ,<span class="nv">$UM</span> ,<span class="nv">$UY</span> ,<span class="nv">$UZ</span> ,<span class="nv">$VU</span> ,<span class="nv">$VE</span> ,<span class="nv">$VN</span> ,<span class="nv">$VG</span> ,<span class="nv">$VI</span> ,<span class="nv">$WF</span> ,<span class="nv">$EH</span> ,<span class="nv">$YE</span> ,<span class="nv">$ZM</span> ,<span class="nv">$ZW</span> <span class="o">}</span> <span class="c"># all countries without $DE $AT $CH</span> define allcountries_without_dach <span class="o">=</span> <span class="o">{</span> <span class="nv">$AF</span> ,<span class="nv">$AX</span> ,<span class="nv">$AL</span> ,<span class="nv">$DZ</span> ,<span class="nv">$AS</span> ,<span class="nv">$AD</span> ,<span class="nv">$AO</span> ,<span class="nv">$AI</span> ,<span class="nv">$AQ</span> ,<span class="nv">$AG</span> ,<span class="nv">$AR</span> ,<span class="nv">$AM</span> ,<span class="nv">$AW</span> ,<span class="nv">$AU</span> ,<span class="nv">$AZ</span> ,<span class="nv">$BS</span> ,<span class="nv">$BH</span> ,<span class="nv">$BD</span> ,<span class="nv">$BB</span> ,<span class="nv">$BY</span> ,<span class="nv">$BE</span> ,<span class="nv">$BZ</span> ,<span class="nv">$BJ</span> ,<span class="nv">$BM</span> ,<span class="nv">$BT</span> ,<span class="nv">$BO</span> ,<span class="nv">$BQ</span> ,<span class="nv">$BA</span> ,<span class="nv">$BW</span> ,<span class="nv">$BV</span> ,<span class="nv">$BR</span> ,<span class="nv">$IO</span> ,<span class="nv">$BN</span> ,<span class="nv">$BG</span> ,<span class="nv">$BF</span> ,<span class="nv">$BI</span> ,<span class="nv">$CV</span> ,<span class="nv">$KH</span> ,<span class="nv">$CM</span> ,<span class="nv">$CA</span> ,<span class="nv">$KY</span> ,<span class="nv">$CF</span> ,<span class="nv">$TD</span> ,<span class="nv">$CL</span> ,<span class="nv">$CN</span> ,<span class="nv">$CX</span> ,<span class="nv">$CC</span> ,<span class="nv">$CO</span> ,<span class="nv">$KM</span> ,<span class="nv">$CG</span> ,<span class="nv">$CD</span> ,<span class="nv">$CK</span> ,<span class="nv">$CR</span> ,<span class="nv">$CI</span> ,<span class="nv">$HR</span> ,<span class="nv">$CU</span> ,<span class="nv">$CW</span> ,<span class="nv">$CY</span> ,<span class="nv">$CZ</span> ,<span class="nv">$DK</span> ,<span class="nv">$DJ</span> ,<span class="nv">$DM</span> ,<span class="nv">$DO</span> ,<span class="nv">$EC</span> ,<span class="nv">$EG</span> ,<span class="nv">$SV</span> ,<span class="nv">$GQ</span> ,<span class="nv">$ER</span> ,<span class="nv">$EE</span> ,<span class="nv">$SZ</span> ,<span class="nv">$ET</span> ,<span class="nv">$FK</span> ,<span class="nv">$FO</span> ,<span class="nv">$FJ</span> ,<span class="nv">$FI</span> ,<span class="nv">$FR</span> ,<span class="nv">$GF</span> ,<span class="nv">$PF</span> ,<span class="nv">$TF</span> ,<span class="nv">$GA</span> ,<span class="nv">$GM</span> ,<span class="nv">$GE</span> ,<span class="nv">$GH</span> ,<span class="nv">$GI</span> ,<span class="nv">$GR</span> ,<span class="nv">$GL</span> ,<span class="nv">$GD</span> ,<span class="nv">$GP</span> ,<span class="nv">$GU</span> ,<span class="nv">$GT</span> ,<span class="nv">$GG</span> ,<span class="nv">$GN</span> ,<span class="nv">$GW</span> ,<span class="nv">$GY</span> ,<span class="nv">$HT</span> ,<span class="nv">$HM</span> ,<span class="nv">$VA</span> ,<span class="nv">$HN</span> ,<span class="nv">$HK</span> ,<span class="nv">$HU</span> ,<span class="nv">$IS</span> ,<span class="nv">$IN</span> ,<span class="nv">$ID</span> ,<span class="nv">$IR</span> ,<span class="nv">$IQ</span> ,<span class="nv">$IE</span> ,<span class="nv">$IM</span> ,<span class="nv">$IL</span> ,<span class="nv">$IT</span> ,<span class="nv">$JM</span> ,<span class="nv">$JP</span> ,<span class="nv">$JE</span> ,<span class="nv">$JO</span> ,<span class="nv">$KZ</span> ,<span class="nv">$KE</span> ,<span class="nv">$KI</span> ,<span class="nv">$KP</span> ,<span class="nv">$KR</span> ,<span class="nv">$KW</span> ,<span class="nv">$KG</span> ,<span class="nv">$LA</span> ,<span class="nv">$LV</span> ,<span class="nv">$LB</span> ,<span class="nv">$LS</span> ,<span class="nv">$LR</span> ,<span class="nv">$LY</span> ,<span class="nv">$LI</span> ,<span class="nv">$LT</span> ,<span class="nv">$LU</span> ,<span class="nv">$MO</span> ,<span class="nv">$MG</span> ,<span class="nv">$MW</span> ,<span class="nv">$MY</span> ,<span class="nv">$MV</span> ,<span class="nv">$ML</span> ,<span class="nv">$MT</span> ,<span class="nv">$MH</span> ,<span class="nv">$MQ</span> ,<span class="nv">$MR</span> ,<span class="nv">$MU</span> ,<span class="nv">$YT</span> ,<span class="nv">$MX</span> ,<span class="nv">$FM</span> ,<span class="nv">$MD</span> ,<span class="nv">$MC</span> ,<span class="nv">$MN</span> ,<span class="nv">$ME</span> ,<span class="nv">$MS</span> ,<span class="nv">$MA</span> ,<span class="nv">$MZ</span> ,<span class="nv">$MM</span> ,<span class="nv">$NA</span> ,<span class="nv">$NR</span> ,<span class="nv">$NP</span> ,<span class="nv">$NL</span> ,<span class="nv">$NC</span> ,<span class="nv">$NZ</span> ,<span class="nv">$NI</span> ,<span class="nv">$NE</span> ,<span class="nv">$NG</span> ,<span class="nv">$NU</span> ,<span class="nv">$NF</span> ,<span class="nv">$MK</span> ,<span class="nv">$MP</span> ,<span class="nv">$NO</span> ,<span class="nv">$OM</span> ,<span class="nv">$PK</span> ,<span class="nv">$PW</span> ,<span class="nv">$PS</span> ,<span class="nv">$PA</span> ,<span class="nv">$PG</span> ,<span class="nv">$PY</span> ,<span class="nv">$PE</span> ,<span class="nv">$PH</span> ,<span class="nv">$PN</span> ,<span class="nv">$PL</span> ,<span class="nv">$PT</span> ,<span class="nv">$PR</span> ,<span class="nv">$QA</span> ,<span class="nv">$RE</span> ,<span class="nv">$RO</span> ,<span class="nv">$RU</span> ,<span class="nv">$RW</span> ,<span class="nv">$BL</span> ,<span class="nv">$SH</span> ,<span class="nv">$KN</span> ,<span class="nv">$LC</span> ,<span class="nv">$MF</span> ,<span class="nv">$PM</span> ,<span class="nv">$VC</span> ,<span class="nv">$WS</span> ,<span class="nv">$SM</span> ,<span class="nv">$ST</span> ,<span class="nv">$SA</span> ,<span class="nv">$SN</span> ,<span class="nv">$RS</span> ,<span class="nv">$SC</span> ,<span class="nv">$SL</span> ,<span class="nv">$SG</span> ,<span class="nv">$SX</span> ,<span class="nv">$SK</span> ,<span class="nv">$SI</span> ,<span class="nv">$SB</span> ,<span class="nv">$SO</span> ,<span class="nv">$ZA</span> ,<span class="nv">$GS</span> ,<span class="nv">$SS</span> ,<span class="nv">$ES</span> ,<span class="nv">$LK</span> ,<span class="nv">$SD</span> ,<span class="nv">$SR</span> ,<span class="nv">$SJ</span> ,<span class="nv">$SE</span> ,<span class="nv">$SY</span> ,<span class="nv">$TW</span> ,<span class="nv">$TJ</span> ,<span class="nv">$TZ</span> ,<span class="nv">$TH</span> ,<span class="nv">$TL</span> ,<span class="nv">$TG</span> ,<span class="nv">$TK</span> ,<span class="nv">$TO</span> ,<span class="nv">$TT</span> ,<span class="nv">$TN</span> ,<span class="nv">$TR</span> ,<span class="nv">$TM</span> ,<span class="nv">$TC</span> ,<span class="nv">$TV</span> ,<span class="nv">$UG</span> ,<span class="nv">$UA</span> ,<span class="nv">$AE</span> ,<span class="nv">$GB</span> ,<span class="nv">$US</span> ,<span class="nv">$UM</span> ,<span class="nv">$UY</span> ,<span class="nv">$UZ</span> ,<span class="nv">$VU</span> ,<span class="nv">$VE</span> ,<span class="nv">$VN</span> ,<span class="nv">$VG</span> ,<span class="nv">$VI</span> ,<span class="nv">$WF</span> ,<span class="nv">$EH</span> ,<span class="nv">$YE</span> ,<span class="nv">$ZM</span> ,<span class="nv">$ZW</span> <span class="o">}</span> chain geoip-mark-input <span class="o">{</span> <span class="nb">type </span>filter hook input priority <span class="nt">-1</span><span class="p">;</span> policy accept<span class="p">;</span> <span class="c"># Mark incomming packages with the country </span> meta mark <span class="nb">set </span>ip saddr map @geoip4 meta mark <span class="nb">set </span>ip6 saddr map @geoip6 <span class="o">}</span> chain input <span class="o">{</span> <span class="nb">type </span>filter hook input priority 0<span class="p">;</span> policy accept<span class="p">;</span> <span class="c"># example: traffic outside $DE, $AT, $CH will be blocked on port 22</span> tcp dport 22 meta mark <span class="nv">$allcountries_without_dach</span> drop <span class="c"># example: traffic outside $DE, $AT, $CH will be completly blocked </span> meta mark <span class="nv">$allcountries_without_dach</span> drop <span class="c"># example: traffic from $UK will be blocked for port 443</span> tcp dport 443 meta mark <span class="nv">$UK</span> drop <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>You have all the country codes in the <a href="https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes" rel="noopener noreferrer">ISO 3166-1</a> standard available. i.e. $US = USA, $DE = Germany, $RU = RUSSIA etc. ... Incoming traffic will be tagged with the country code. </p> <p>And here you go.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl restart nftables </code></pre> </div> <p>Now you can test your geo-fence with an VPN connection or similar.</p> <h3> More advanced </h3> <p>To make it more readable and easier to maintain, you can of course also block everything by default by replacing the following line in the input chain<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>type filter hook input priority 0; policy accept; </code></pre> </div> <p>with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>type filter hook input priority 0; policy drop; </code></pre> </div> <p>Then use the following filter rule.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tcp dport 22 meta mark $DE accept </code></pre> </div> <p>This will allow only German traffic on port 22, for example. <br> <strong>Please take care</strong>, so that you do not exclude yourself. You also have to release your internal ipnet from the local LAN or similar depending on the environment you have.</p> <p>Thanks for reading and stay safe.</p> linux beginners security tutorial