nftables-blacklist.conf

# nftables-blacklist configuration
# https://github.com/trick77/nftables-blacklist
#
# Most settings have sensible defaults. Override only what you need.
# See README.md for all available options.

#=== FILE PATHS ===#
# Directory must exist (won't be created automatically)

IP_BLACKLIST=/etc/nftables-blacklist/ip-blacklist.list
NFT_BLACKLIST_SCRIPT=/etc/nftables-blacklist/blacklist.nft

#=== BEHAVIOR ===#

FORCE=yes      # Auto-create nftables table/sets if missing

#=== BLACKLISTS ===#
# URLs to download. Supports: https://, http://, file:///
# Both IPv4 and IPv6 addresses are automatically extracted
#
# The feeds below are examples to get you started, not endorsements.
# Each list has its own update cadence, scope, false-positive rate,
# and license. Review what suits your environment, and add or remove
# entries as appropriate.

BLACKLISTS=(
  # Local custom list (uncomment to use)
  # "file:///etc/nftables-blacklist/custom.list"

  # Project Honey Pot - Dictionary Attacker IPs
  "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1"

  # BruteForceBlocker IP List
  "http://danger.rulez.sk/projects/bruteforceblocker/blist.php"

  # Spamhaus DROP List (IPv4) - Don't Route Or Peer
  "https://www.spamhaus.org/drop/drop_v4.json"

  # Spamhaus DROP List (IPv6)
  "https://www.spamhaus.org/drop/drop_v6.json"

  # C.I. Army Malicious IP List
  "https://cinsscore.com/list/ci-badguys.txt"

  # blocklist.de - All Attackers
  "https://lists.blocklist.de/lists/all.txt"

  # GreenSnow Blocklist
  "https://blocklist.greensnow.co/greensnow.txt"

  # FireHOL Level 1 (aggregated: dshield, feodo, fullbogons, spamhaus_drop)
  # Use iplists.firehol.org direct - GitHub sync is broken, see firehol/blocklist-ipsets#366
  "https://iplists.firehol.org/files/firehol_level1.netset"

  # StopForumSpam (7 days)
  "https://iplists.firehol.org/files/stopforumspam_7d.ipset"

  # Emerging Threats - Compromised hosts
  "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"

  # Country/ASN blocks (uncomment and edit as needed)
  # Use https://lens.ipverse.net to look up ASN and network info
  # "https://raw.githubusercontent.com/ipverse/country-ip-blocks/master/country/ru/ipv4-aggregated.txt"
  # "https://raw.githubusercontent.com/ipverse/country-ip-blocks/master/country/ru/ipv6-aggregated.txt"
  # "https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as/64496/ipv4-aggregated.txt"
  # "https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as/64496/ipv6-aggregated.txt"
)

#=== WHITELIST ===#
# IPs/CIDRs that should NEVER be blocked (protects against self-blocking)

# Auto-detect and whitelist this server's IPs (default: no, recommended: yes)
# AUTO_WHITELIST=no

# Manual whitelist entries (IPv6 uses exact matching only).
# Each entry is either a literal IP/CIDR, or a "file://" URL pointing at a
# flat list (one IP/CIDR per line, '#' for comments). HTTPS/HTTP URLs are
# NOT supported here (unlike BLACKLISTS) - fetch external lists out-of-band
# into a local file and reference it via file://. See README for a recipe
# that populates such a file from JSON endpoints (e.g. Mullvad relays,
# cloud-provider IP ranges).
WHITELIST=(
  # Add your server's IP and network here to prevent self-blocking
  # "203.0.113.10"                                # Single IP
  # "203.0.113.0/24"                              # CIDR range
  # "2001:db8::1"                                 # IPv6
  # "file:///etc/nftables-blacklist/extra.list"   # Local list file
)

#=== OPTIONAL OVERRIDES ===#
# Uncomment to change defaults:

# ENABLE_IPV4=yes
# ENABLE_IPV6=yes
# NFT_TABLE_NAME=blacklist
# NFT_SET_NAME_V4=blacklist4
# NFT_SET_NAME_V6=blacklist6
# NFT_CHAIN_PRIORITY=-200     # Lower = checked earlier
# BLOCK_FORWARD=no            # Also block in forward chain (e.g. for containers)
# CHUNK_SIZE=5000             # IPs per nft command
# CURL_CONNECT_TIMEOUT=10
# CURL_MAX_TIME=30