Generate /etc/sysconfig/nftables-allowed-ipv4.conf and /etc/sysconfig/nftables-allowed-ipv6.conf
By default, include to list of allowed IPv4 addresses only Cloudflare IPv4 addresses.
By default, include to list of allowed IPv6 addresses only Cloudflare IPv6 addresses.
But, also it is possible to add extra IPv4 and/or IPv6 subnets in CIDR notation via command line.
See contrib/nftables.conf
for example of usage of these generated ipv4_addr / ipv6_addr sets.
See also the nginx-cloudflare, which can be used instead of nftables-tool,
if the Linux server must simultaneously allow two types of connections - both direct connections from clients
and connections only from Cloudflare networks - in this case, filtering can be applied only at the nginx level,
through the geo module.
dnf -y remove python-unversioned-command ; \
dnf -y install python3.11 python3.11-pip ; \
ln -sf /usr/bin/python3.11 /usr/bin/python ; \
ln -sf /usr/bin/pip3.11 /usr/bin/pip ; \
pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
cd /opt ; git clone https://github.com/makhomed/nftables-tool.git
pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
cd /opt/nftables-tool ; git pull
/opt/nftables-tool/nftables-tool
or
/opt/nftables-tool/nftables-tool 172.21.0.0/16 2001:DB8:11:22::/64 2001:DB8:99:77::/64
Configure cron job, for example, in file /etc/cron.d/nftables-tool:
RANDOM_DELAY=360
0 0 * * * root /opt/nftables-tool/nftables-tool
or
RANDOM_DELAY=360
0 0 * * * root /opt/nftables-tool/nftables-tool 172.21.0.0/16 2001:DB8:1:2::/64 2001:DB8:8:9::/64
- Update
contrib/nftables.confusing recommendations from RFC 4890 and related documents for IPv4 ICMP filtering.