README
¶
NFTBan — Adaptive Firewall for the Modern Linux Stack
Secure by Design | Zero Trust Ready | AI-Assisted Defense
NFTBan is an enterprise-grade firewall management system built on Linux nftables — combining atomic rule updates, privilege separation through Polkit, and AI-assisted threat intelligence for a resilient, self-healing network defense layer.
BETA TESTING | We are actively finding and fixing bugs. NOT production-ready yet. Tested on 5 lab servers. Community feedback needed from diverse environments. Report issues here.
Quick Install
Rocky / AlmaLinux / RHEL / CentOS Stream 9
sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm
sudo dnf install -y nftban-el9-x86_64.rpm && sudo nftban enable
Rocky / AlmaLinux / RHEL / CentOS Stream 10
sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm
sudo dnf install -y nftban-el10-x86_64.rpm && sudo nftban enable
Fedora 42
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-fc42-x86_64.rpm
sudo dnf install -y nftban-fc42-x86_64.rpm && sudo nftban enable
Fedora 43
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-fc43-x86_64.rpm
sudo dnf install -y nftban-fc43-x86_64.rpm && sudo nftban enable
Ubuntu 22.04
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb
sudo dpkg -i nftban-ubuntu22.04-amd64.deb && sudo apt-get install -f -y && sudo nftban enable
Ubuntu 24.04
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb
sudo dpkg -i nftban-ubuntu24.04-amd64.deb && sudo apt-get install -f -y && sudo nftban enable
Debian 12
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb
sudo dpkg -i nftban-debian12-amd64.deb && sudo apt-get install -f -y && sudo nftban enable
From Source
git clone https://github.com/itcmsgr/nftban.git && cd nftban
sudo ./install.sh cli # CLI-only (~50MB RAM)
# or
sudo ./install.sh gui # Full with Web GUI (~200MB RAM)
Available Packages
RPM Packages (EL Family + Fedora)
| Distribution | Version | Architecture | Package |
|---|---|---|---|
| Rocky / Alma / RHEL / CentOS Stream | 9 | x86_64 | nftban-el9-x86_64.rpm |
| Rocky / Alma / RHEL / CentOS Stream | 10 | x86_64 | nftban-el10-x86_64.rpm |
| Fedora | 42 | x86_64 | nftban-fc42-x86_64.rpm |
| Fedora | 43 | x86_64 | nftban-fc43-x86_64.rpm |
DEB Packages (Ubuntu + Debian)
| Distribution | Version | Architecture | Package |
|---|---|---|---|
| Ubuntu | 22.04 (Jammy) | amd64 | nftban-ubuntu22.04-amd64.deb |
| Ubuntu | 24.04 (Noble) | amd64 | nftban-ubuntu24.04-amd64.deb |
| Debian | 12 (Bookworm) | amd64 | nftban-debian12-amd64.deb |
Packages are distro-specific and FHS compliant. Use the package matching your exact distribution version. Old versions archived in Releases.
Highlights
- 44 CLI Commands — Complete firewall management from command line
- Unified Go Backend — High-performance feeds, GeoIP, and sync operations
- Web Interface — Modern dashboard for visual management
- Dual-Table Architecture — Clean IPv4/IPv6 separation with
ip nftbanandip6 nftban - FHS Compliant — Follows Filesystem Hierarchy Standard
- Security Hardened — Systemd sandboxing, capability-based permissions
Core Features
| Feature | Description |
|---|---|
| Threat Intelligence Feeds | Automatic blocking from Spamhaus, AbuseIPDB, Firehol, etc. |
| Geographic Blocking (GeoBan) | Block/allow traffic by country code |
| Login Monitoring | Detects SSH brute-force and suspicious patterns |
| Port Scan Detection | Automatic detection and blocking of reconnaissance |
| DDoS Protection | Rate limiting, SYN flood protection, connection limits |
| Suricata IDS | Optional deep packet inspection integration |
| Prometheus Metrics | Full observability for monitoring stacks |
| Cloudflare Integration | Auto-whitelist Cloudflare proxy IPs |
Quick Start
# Verify installation
nftban version
nftban health summary
# Enable protection
nftban login enable # SSH login monitoring
nftban feeds enable # Threat intelligence feeds
nftban portscan enable # Port scan detection
# Optional: Advanced IDS integration
nftban suricata install # Install Suricata IDS (automated)
nftban suricata enable # Enable with weekly rule updates
# Common tasks
nftban ban 1.2.3.4 # Block IP
nftban unban 1.2.3.4 # Remove ban
nftban search 1.2.3.4 # Search across all sets
nftban firewall reload # Atomic reload (no downtime)
# Check status
nftban status
CLI Overview
System & Health
nftban status # Quick system overview
nftban health # System diagnostics with auto-heal
nftban validate # Firewall structure validation
nftban services # Systemd services status
IP Management
nftban ban <IP> # Ban IP (with optional timeout)
nftban unban <IP> # Remove ban
nftban search <IP> # Search across all sets
nftban whitelist add # Add to whitelist
Protection Modules
nftban login status # SSH login monitoring
nftban feeds list # Threat feed status
nftban geoban list # Geographic blocking
nftban portscan status # Port scan detection
nftban ddos status # DDoS protection
Testing
nftban smoke run # Standard smoke test
nftban smoke all # Comprehensive test (44 commands)
See CLI Commands Reference for complete documentation.
Architecture
ip nftban { # IPv4 rules
set whitelist_ipv4 {...}
set blacklist_ipv4 {...}
set feeds_ipv4 {...}
set geoban_ipv4 {...}
chain input {...}
}
ip6 nftban { # IPv6 rules
set whitelist_ipv6 {...}
set blacklist_ipv6 {...}
chain input {...}
}
Components
| Component | Type | Description |
|---|---|---|
nftban |
Bash CLI | Main command-line interface (44 commands) |
nftban-core |
Go Binary | Unified backend (feeds, geoip, sync) |
nftban-ui |
Go Binary | Web interface server |
Requirements
- Linux: Rocky/Alma/RHEL 9-10, CentOS Stream 9-10, Ubuntu 22.04+, Debian 12+, Fedora 42+
- nftables: 0.9.3+
- Bash: 4.4+
- systemd: Required
- Go 1.21+: For building from source (optional)
AI-Assisted Development
NFTBan is developed through ethical AI collaboration combining human expertise with AI capabilities:
| Partner | Role |
|---|---|
| ChatGPT (OpenAI) | Architecture & Design Planning |
| Claude Code (Anthropic) | Implementation & Testing |
| Claude AI (Anthropic) | Review & Optimization |
All AI-generated code is human-reviewed, version-controlled, and transparently attributed.
License
Mozilla Public License 2.0 (MPL-2.0)
Copyright (c) 2024-2026 NFTBan Project / Antonios Voulvoulis
Documentation
Getting Started
- Wiki Home - Complete documentation
- CLI Commands Reference - All 44 commands
- Installation Prerequisites - System requirements
Advanced Integration
- Suricata IDS Integration - Complete guide for Suricata IDS/IPS setup (2-command install, DDoS/portscan integration, performance tuning)
Security
- Security Policy - Vulnerability reporting
- Security Architecture - FHS Auto-Heal, Polkit integration
- Security Operations Guide - Hardening, monitoring, emergency procedures
- Groups and Permissions - Access control model
Community
- Website: https://nftban.com
- Report Bug - Issue tracker
- Discussions - Community forum
NFTBan - Simplifying Linux Firewall Management
nftban.com |
Report Issue |
Discussions
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
nftban-core
command
|
|
|
nftban-ui
command
|
|
|
nftban-ui-auth
command
|
|
|
nftband
command
|
|
|
internal
|
|
|
authproto
Package authproto defines shared authentication protocol types Used by both pkg/auth and cmd/nftban-ui-auth to ensure consistency
|
Package authproto defines shared authentication protocol types Used by both pkg/auth and cmd/nftban-ui-auth to ensure consistency |
|
pkg
|
|
|
api
Package api provides HTTP API handlers for NFTBan
|
Package api provides HTTP API handlers for NFTBan |
|
banlog
Package banlog provides centralized ban logging for NFTBan All ban actions (from any source) should log here for stats tracking
|
Package banlog provides centralized ban logging for NFTBan All ban actions (from any source) should log here for stats tracking |
|
logx
Package logx provides structured logging wrappers for NFTBan This centralizes log prefixes and makes future enhancements (JSON logs, levels) easier
|
Package logx provides structured logging wrappers for NFTBan This centralizes log prefixes and makes future enhancements (JSON logs, levels) easier |
|
metrics
Package metrics provides Prometheus metrics for NFTBan operations This file contains application-level metrics for ban/unban operations, feed loading, sync operations, and authentication
|
Package metrics provides Prometheus metrics for NFTBan operations This file contains application-level metrics for ban/unban operations, feed loading, sync operations, and authentication |
|
netutil
Package netutil provides network utility functions for NFTBan Centralizes IP address handling, whitelist checking, and CIDR operations
|
Package netutil provides network utility functions for NFTBan Centralizes IP address handling, whitelist checking, and CIDR operations |
|
sync
Package sync provides nftables synchronization utilities
|
Package sync provides nftables synchronization utilities |
|
system
Package system provides unified system lookup utilities
|
Package system provides unified system lookup utilities |
|
version
Package version provides centralized version information for NFTBan.
|
Package version provides centralized version information for NFTBan. |
Click to show internal directories.
Click to hide internal directories.