I want to write a sh script in order to update my nftable badips:
table inet my_table {
set badips {
type ipv4_addr
flags interval
elements = { 0.0.0.0/8, 1.2.177.195, ... }
chain my_input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "Accept anything from lo interface"
ct state vmap { invalid : drop, established : accept, related : accept }
tcp dport { 80, 8443 } ct state new limit rate 10/second accept comment "[nftables] Allow HTTP/HTTPS traffic but limit them to 10 new connections per second"
ip saddr @badips drop comment "[nftables] Block ban IP"
log prefix "[nftables log] " flags all
}
}
I want to download several firehol IP lists after some time and add to my badips:
nft add element inet my_table badips { <IP> }
How can I do that?
This one-liner should work:
grep -v "^#" IPlist.txt | while read addr ; \
do nft add element inet my_table badips { ${addr} } ; done
Replace IPlist.txt with the name of the list you downloaded.
If the list contains subnets you may need to remove '/32' from ipv4 ranges because nftables can't handle it (checked on v1.0.2 and older):
grep -v "^#" IPlist.txt | while read addr ; \
do grep -qs ':' <<<"${addr}" || addr=$(sed 's/\/32$//' <<<"${addr}") ; \
nft add element inet my_table badips { ${addr} } ; done