Whitelist mode

[tbart]

My use case is the following:
My private cloud server is only ever interesting for me and my family/friends/relatives in my own country.

So I don't need any incoming connection other than from my country.
If I configure mirrors etc. accordingly and once everything is set up, even outgoing connections might be able to be limited to just a handful of international IPs (for updates).

So here goes: (How) can I easily reverse the logic to just allow traffic to/from a country specified and block all others? (Or is there some sort of parseable list of all countries so I can block all and then just remove my own country?)

Thanks in advance!

[wirefalls]

Hello,

Setting things up as you describe is pretty straightforward. You can use one of the example nftables.conf files in the Wiki to test your configuration. I’ll assume that you’re using IPv4 only, but you can adjust the instructions accordingly if using IPv6 or both. Start with the example IPv4 nftables.conf file from the Wiki. You can use the geo-ip4 nftables set in the ip filter table to store the IP address ranges for your country code. I’ll assume that your country code is AD, just like the example in the IPv4 nftables.conf file. The geo-ip4 nftables set will store IP address ranges for your country code, and your firewall rules will decide whether you accept or drop packets that match the IP address ranges in the set. Individual firewall rules allow you to reverse the logic and do what you describe. Next, you can follow the instructions in the Wiki User Guide to set up your /etc/nftables/geo-nft/refill-sets.conf file. For simplicity, you can comment out and ignore the netdev table in the User Guide example, since it’s more of an advanced feature. You can do all of your geolocation filtering in just the ip filter table. Make sure that your refill-sets.conf file has an include statement at the beginning. Next, uncomment the line to define the set name and country code that you want to use.

define-ipv4 ip filter geo-ip4 AD

You can save the refill-sets.conf file and exit. Next, run the geo-nft script to flush and fill the geo-ip4 set with IP address ranges from country code AD.

sudo geo-nft

Next, add an incoming firewall rule for HTTP/HTTPS to the input chain in your /etc/nftables.conf file, just above the current SSH rule.

ip saddr @geo-ip4 tcp dport { 80, 443} ct state new counter accept comment ”Accept HTTP/HTTPS on ports 80, 443 from addresses in set geo-ip4”

The firewall rule above does three checks on the incoming packet. The first checks if the source IP address of the packet is included in one of the IP address ranges from your country code that’s stored in the geo-ip4 set. The second checks if the tcp destination port is 80 or 443, and the third checks if it’s a new packet that’s not from an existing connection. If the packet passes all three checks then it’s accepted, and if it fails any of those checks then it moves to the next firewall rule.

If you ever need to geolocation filter outgoing packets in your output chain, you’ll want to match the destination IP address (daddr) rather than the source IP address (saddr) of the packet so that traffic is only allowed out to your country. The following rule only does two checks, and it allows packets out to new or existing connections.

ip daddr @geo-ip4 tcp dport { 80, 443} counter accept comment ”Accept HTTP/HTTPS on ports 80, 443 to addresses in set geo-ip4”

For outgoing packets headed to update servers in other countries, you can place those rules in your output chain before the geolocation rule above.

Please test these rules and let me know if you find any issues or typos. I hope that gets you going in the right direction. Let me know if you have any other questions. If you like the program, please consider giving the project a star at the top of the project page as it helps others to find the program here on GitHub.

Thanks

[tbart]

Sorry, I've been too busy to get around to doing this.

Now this totally makes sense. geo-nft just builds sets, whatever I do with them is a different story. I somehow thought it would build rules as well from just reading the docs.

Apart from the quotes in your code lines that should read " instead of ”, everything works as expected, thanks a lot!

I went the ipv4+ipv6 route as I don't know, maybe v6 will be in (actual, broad :-) ) usage somewhen. It works with geo-inet4 just as nicely.

Just took me a little to notice the commented include "/etc/nftables/geo-nft/*refill-sets.nft" at the end of /etc/nftables.conf. The comment

[..] to fill empty geolocation sets during system startup

somehow made me think that's only for system startup and I'll need it later on, if testing shows everything is working as expected. It is pretty obvious now that the sets cannot work without actually including them.
I guess there's a good reason why this is at the end - I normally expect includes at the top of files and would not have missed it there I guess.
I think the comment could be clarified, i.e. this needs to be included always (and the reason for it being at the end and what exactly that has got to do with system startup could be added additionally).

Is there a specific reason why you did not suggest the netdev table?
The nftables man page says "It is invoked before layer 3 protocol". I guess I need layer 4 for the dport stuff, but I am unsure whether the established,related stanzas will work.
I don't mind if I block all other countries before layer 4 already, I don't really need to differentiate between ports, but being able to have downloads/updates work when they are initiated from my host is pretty nice (though I think I could make do with a mirror in my country).

PS: I am in no way affiliated with this service, but I found https://dnstools.ws to be pretty practical. I tested all my config with ICMP before touching anything more serious, and luckily my country is on their ping source list, so it's really easy to see when country filtering works or not!

[tbart]

Renewing Letsencrypt certificates does not work with the standard HTTP verification mechanism if the US are not on your whitelist. There is no official list of verification servers, so we need to temporarily open up both ports for the whole world.

I came up with the following script

#!/bin/bash
# Temporarily allow all traffic on tcp 80 and 443 in (instead of the default geo-nft whitelist filter)

handle="$(nft -a list ruleset | sed -n '/letsencrypt/s#.*handle ##p')"

if [[ "$1" == "allow" ]]
then
    [[ -z $handle ]] && nft insert rule inet filter input tcp dport { 80, 443 } ct state new counter accept comment \"Accept tcp/80,tcp/443 from everywhere \(letsencrypt\)\" && exit 0
elif [[ "$1" == "deny" ]]
then
    [[ -n $handle ]] && nft delete rule inet filter input handle $handle && exit 0
else
    echo "ERROR: Not understood: \"$1\""
    exit -1
fi

Using this script (I called it /usr/local/sbin/letsencrypt_nft.sh) as pre and post hook works nicely. Just issue

certbot renew --force-renewal --pre-hook "/usr/local/sbin/letsencrypt_nft.sh allow" --post-hook "/usr/local/sbin/letsencrypt_nft.sh deny"

and renews should work as expected in the future.

[wirefalls]

I'm glad that you were able to get things working. Thanks for sharing your Let's Encrypt script.