Malin/krawl.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added iptables and nftables integration

Browse Source
This commit is contained in:
BlessedRebuS
2026-02-23 01:23:49 +01:00
parent 69e82fc030
commit 8c81dccc3b
6 changed files with 490 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
plugins/nftables/README.md Normal file
View File

@@ -0,0 +1,161 @@
# Nftables + Krawl Integration
## Overview
This guide explains how to integrate **nftables** with Krawl to automatically block detected malicious IPs at the firewall level. Nftables is the modern replacement for iptables on newer Linux systems and provides more efficient IP set-based blocking.
## Architecture
```
Krawl detects malicious IPs
Stores in database
API endpoint
Cron job fetches list
Nftables firewall blocks IPs
All traffic from banned IPs dropped
```
## Prerequisites
- Modern Linux system with nftables installed (Ubuntu 22+, Debian 12+, RHEL 9+)
- Krawl running with API accessible
- Root/sudo access
- Curl for HTTP requests
- Cron for scheduling
## When to Use Nftables
Check if your system uses nftables:
```bash
sudo nft list tables
```
If this shows tables, you're using nftables. If you get command not found, use iptables instead.
## Installation & Setup
### 1. Create the [krawl-nftables.sh](krawl-nftables.sh) script
```bash
#!/bin/bash
curl -s https://your-krawl-instance/your-dashboard-path/api/get_banlist?fwtype=iptables > /tmp/ips_to_ban.txt
sudo nft add set inet filter krawl_ban { type ipv4_addr \; } 2>/dev/null || true
while read -r ip; do
[[ -z "$ip" ]] && continue
sudo nft add element inet filter krawl_ban { "$ip" }
done < /tmp/ips_to_ban.txt
sudo nft add rule inet filter input ip saddr @krawl_ban counter drop 2>/dev/null || true
rm -f /tmp/ips_to_ban.txt
```
Make it executable:
```bash
sudo chmod +x ./krawl-nftables.sh
```
### 2. Test the Script
```bash
sudo ./krawl-nftables.sh
```
### 3. Schedule with Cron
Edit root crontab:
```bash
sudo crontab -e
```
Add this line to sync IPs every hour:
```bash
0 * * * * /path/to/krawl-nftables.sh
```
## Monitoring
### Check the Blocking Set
View blocked IPs:
```bash
sudo nft list set inet filter krawl_ban
```
Count blocked IPs:
```bash
sudo nft list set inet filter krawl_ban | grep "elements" | wc -w
```
### Check Active Rules
View all rules in the filter table:
```bash
sudo nft list table inet filter
```
Find Krawl-specific rules:
```bash
sudo nft list chain inet filter input | grep krawl_ban
```
### Monitor in Real-Time
Watch packets being dropped:
```bash
sudo nft list set inet filter krawl_ban -a
```
## Management Commands
### Manually Block an IP
```bash
sudo nft add element inet filter krawl_ban { 192.168.1.100 }
```
### Manually Unblock an IP
```bash
sudo nft delete element inet filter krawl_ban { 192.168.1.100 }
```
### List All Blocked IPs
```bash
sudo nft list set inet filter krawl_ban
```
### Clear All Blocked IPs
```bash
sudo nft flush set inet filter krawl_ban
```
### Delete the Rule
```bash
sudo nft delete rule inet filter input handle <handle>
```
## References
- [Nftables Official Documentation](https://wiki.nftables.org/)
- [Nftables Quick Reference](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes)
- [Linux Kernel Netfilter Guide](https://www.kernel.org/doc/html/latest/networking/netfilter/)
- [Nftables Man Page](https://man.archlinux.org/man/nft.8)