Geo Filtering for nftables Brings Simplicity & Flexibility to Geolocation Matching
This looks like a good upgrade, simplifying the blocklist use case.
Geolocation for nftables is a Bash script to create nftables sets of country specific IP address ranges for use with firewall rulesets. The project provides a simple and flexible way to implement geolocation filtering with nftables.
- A script written for the widely used Bash shell.
- Easy to set up, configure and customize with source code that's heavily commented.
- Uses the free geolocation database from db-ip.com (no EULA to accept).
- Automatically generates country-specific nftables address range sets.
- The script has a small memory footprint to run well on systems with limited RAM. A flexible configuration allows loading only minimum sets required if memory is tight.
- User settings are stored in a standard configuration file rather than using command line arguments.
- Packets can be geolocation filtered with a single nftables rule rather than two rules to mark and match packets like nftables map based solutions.
- The script allows access to all of the valid country code address ranges in the database.
- Automatically determines your installed version of nftables and recommends the correct "include" statements for your ruleset. The script also creates "include-all" files to allow you to include all geolocation sets with a single reference on older versions of nftables that don't support include wildcards.
- The User Guide explains how to define all element definitions for geolocation sets in one file, eliminating the chance of having out-of-sync definitions in multiple files when flushing and refilling sets with new data.
- Simplified directory structure to shorten "include" path names.
The script creates ~500 IPv4 and IPv6 set files from the geolocation database in about 10 seconds on a low power quad-core 2200ge server with SSD storage.
- Tested on Ubuntu Server, Fedora Server, and Raspberry Pi OS.