How do I block IPs from a certain country with nftables?
I'm seeing a lot of attacks lately from a specific country, and I'd like to be able to block all of its IP addresses using
I wasn't able to find any instructions on how to do this manually using
nftables specifically, although I did come across this python script on GitHub which does exactly that. It's worth noting that IP geolocation is not always accurate, as the databases rely on the owners of the addresses to ensure that the locations are accurately recorded. Because of this, it's possible to accidentally block legitimate traffic in an instance where this information is not kept fully up to date.
It may worth considering instead using a service like Fail2Ban to automatically block any IPs it detects using automated intrusion techniques. This way, you can avoid inadvertently blocking traffic you do want getting to your Linode.
You can't. You can however, block lists of networks and addresses with a single rule. Because the kernel evaluates a packet agains nftables/iptables rules from top to bottom, the rules featuring your lists need to always be at the top (ditto for lists created/maintained by fail2ban(1)).
You also need to have some automatic mechanism for creating/updating these lists…maintaining them manually is never going to work.
See my response here:
This is a constant battle!