An ipset-based blocklist tool inspired by banIP, this ServerFault post, this ServerFault post, and this OpenWrt forum post.
I really, really wanted nftables named sets to work as advertised since iptables is deprecated. According to RedHat, nftables named sets are just as performant as iptables ipset, but my personal testing and online research suggests otherwise. After wrestling with nftables for way too long, I just did what many IT professionals are doing -- returned to iptables. Sigh
sudo apt-get install golang-go
sudo curl -sLo /usr/local/bin/cidr-merger https://github.com/zhanhb/cidr-merger/releases/latest/download/cidr-merger-linux-arm64
sudo chmod +x /usr/local/bin/cidr-merger
- curl
- iptables
- ipset
- git
- cron
- jq
sudo apt-get autopurge -y nftables
sudo apt-get install -y curl iptables ipset git cron jq
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo git clone https://github.com/ascension-association/bloxette /var/lib/bloxette
sudo chown -R $USER:$USER /var/lib/bloxette
chmod +x /var/lib/bloxette/bloxette.sh
sudo ln -s /var/lib/bloxette/bloxette.sh /usr/local/bin/bloxette
- Edit /var/lib/bloxette/whitelists.txt, /var/lib/bloxette/blocklists.txt, and /var/lib/bloxette/geo.txt as needed
- Run
bloxette update - Add to cron:
(crontab -l ; echo "2 30 * * * sleep $((RANDOM % 1800)) && /usr/local/bin/bloxette") | sudo crontab -