I have a box running with master version, so it uses fw4.
I have set up a nft-set with type of ipv4_addr and I'd want to drop/reject all ip's on it from accessing device from wan (I have a web service running)..
But I have some difficulties... fw4 seems to use on only inet table, so it would be wise to stay on it..
nft add set inet fw4 blacklist { type ipv4_addr\; comment \"my blacklist\" \; }
nft add element inet fw4 blacklist { 101.101.101.101, 101.101.101.102 }
and then..
nft add rule inet fw4 input ip saddr @blacklist drop
But that goes nowhere.. I also tried few other chains with luck as good as with this one.. Also with just ip instead of set, it works just as fine..
nft add rule inet fw4 input ip saddr 101.101.101.101 drop
IP addresses used in this example is imaginary for demonstration purposes only and ip addresses were not harmed during this post..
I tested to add a rule also that blocks certain ip but that didn't work out either.
But I tested it only to see how it is shown in nftables, but it wasn't useful as it didn't work.
I do not have iptables/ipset utility at all and won't; it's not useful, I am creating a small project similar to banip, except it's written in c++, is a bit expanded version and uses nft instead of iptables/ipset. So it utilises libnftables, not shell executables - so I cannot use ipset for this.
There are some quite good documents/tutorials available for use of nftables, but most of them aren't working with stock fw4, as fw4 manipulates nft to only use inet table - and what it is worth, it won't work out either as in those samples, a really simple firewalling is used; after fw4 you get tons of chains....
All this can be done using nft command-line utility, but actually easiest way is to use files in /etc/nftables.d
But let's do it by hand first, as that's what I asked..
# add set first, this line can be skipped if you want to drop from a single ip only
nft add set inet fw4 blacklist { type ipv4_addr\; comment \"my blacklist\" \; }
# then add chain
nft add chain inet fw4 blk_chain { type filter hook forward priority -1\; policy accept\; }
# and finally, add rule.. If you want to drop only from one static ip- replace @blacklist with ip address
nft add rule inet fw4 blk_chain ip saddr @blacklist drop
fw4 rules are applied with priority 0 and as our priority here is set -1 and our chain hooks to forward, it's through this filter first then.
Easier way though, is to create a file in /etc/nftables.d/09-blklist.nft:
set blacklist {
type ipv4_addr;
comment "blk";
}
chain blk_chain {
type filter hook forward priority -1; policy accept;
ip saddr @blacklist drop;
# ip saddr 101.101.101.101 drop;
}
Not that hard after all when you realise order of ruling and forget about manipulating already existing rules.