README
¶
NFTBan
Linux Intrusion Prevention System & nftables Firewall Manager
NFTBan is an open-source Linux Intrusion Prevention System (IPS) and firewall manager built on nftables, designed to integrate cleanly with modern Linux security stacks.
It provides automated threat detection and response using native nftables for kernel-level enforcement, with Polkit-based privilege separation for secure operation without full root access.
BETA | Tested on 5 lab servers. Community feedback needed from diverse environments. Report issues here.
Quick Install
Tier 0 — Primary Platforms
Ubuntu 24.04 LTS (Noble)
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb
sudo apt update && sudo apt install -y ./nftban-ubuntu24.04-amd64.deb && sudo nftban enable
Debian 12 (Bookworm)
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb
sudo apt update && sudo apt install -y ./nftban-debian12-amd64.deb && sudo nftban enable
Rocky / AlmaLinux / RHEL 9
sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm
sudo dnf install -y nftban-el9-x86_64.rpm && sudo nftban enable
Tier 1 — Future Platforms
Debian 13 (Trixie)
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian13-amd64.deb
sudo apt update && sudo apt install -y ./nftban-debian13-amd64.deb && sudo nftban enable
Rocky / AlmaLinux / RHEL 10
sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm
sudo dnf install -y nftban-el10-x86_64.rpm && sudo nftban enable
Tier 2 — Legacy Platforms
Ubuntu 22.04 LTS (Jammy)
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb
sudo apt update && sudo apt install -y ./nftban-ubuntu22.04-amd64.deb && sudo nftban enable
From Source
git clone https://github.com/itcmsgr/nftban.git && cd nftban
sudo ./install.sh cli # CLI-only (~50MB RAM)
# or
sudo ./install.sh gui # Full with Web GUI (~200MB RAM)
Available Packages
RPM Packages (EL Family)
| Tier | Distribution | Version | Package |
|---|---|---|---|
| 0 | Rocky / Alma / RHEL / CentOS Stream | 9 | nftban-el9-x86_64.rpm |
| 1 | Rocky / Alma / RHEL / CentOS Stream | 10 | nftban-el10-x86_64.rpm |
DEB Packages (Ubuntu + Debian)
| Tier | Distribution | Version | Package |
|---|---|---|---|
| 0 | Ubuntu | 24.04 (Noble) | nftban-ubuntu24.04-amd64.deb |
| 0 | Debian | 12 (Bookworm) | nftban-debian12-amd64.deb |
| 1 | Debian | 13 (Trixie) | nftban-debian13-amd64.deb |
| 2 | Ubuntu | 22.04 (Jammy) | nftban-ubuntu22.04-amd64.deb |
Packages are distro-specific and FHS compliant. Use the package matching your exact distribution version. See Supported Platforms for the full platform contract.
Features
| Feature | Description |
|---|---|
| Threat Intelligence Feeds | Automatic blocking from Spamhaus, AbuseIPDB, Firehol |
| Geographic Blocking | Block or allow traffic by country code |
| Login Monitoring | Detects SSH brute-force and suspicious authentication patterns |
| Port Scan Detection | Automatic detection and blocking of reconnaissance |
| DDoS Protection | Rate limiting, SYN flood protection, connection limits |
| Suricata IDS Integration | Optional deep packet inspection |
| Prometheus Metrics | Observability for monitoring stacks |
| Connectors | Export to Elasticsearch, Kafka, syslog, webhook |
Quick Start
# Verify installation
nftban version
nftban health summary
# Enable protection modules
nftban login enable # SSH login monitoring
nftban feeds enable # Threat intelligence feeds
nftban portscan enable # Port scan detection
# Optional: Suricata IDS integration
nftban suricata install # Install Suricata IDS
nftban suricata enable # Enable with weekly rule updates
# Common operations
nftban ban 1.2.3.4 # Block IP
nftban unban 1.2.3.4 # Remove ban
nftban search 1.2.3.4 # Search across all sets
nftban firewall reload # Atomic reload
# Check status
nftban status
CLI Overview
System & Health
nftban status # System overview
nftban health # Diagnostics with auto-heal
nftban validate # Firewall structure validation
nftban services # Systemd services status
nftban configtest # Validate config against schema
IP Management
nftban ban <IP> # Ban IP (with optional timeout)
nftban unban <IP> # Remove ban
nftban search <IP> # Search across all sets
nftban whitelist add # Add to whitelist
Protection Modules
nftban login status # SSH login monitoring
nftban feeds list # Threat feed status
nftban geoban list # Geographic blocking
nftban portscan status # Port scan detection
nftban ddos status # DDoS protection
See CLI Commands Reference for complete documentation.
Architecture
ip nftban { # IPv4 rules
set whitelist_ipv4 {...}
set blacklist_ipv4 {...}
set feeds_ipv4 {...}
set geoban_ipv4 {...}
chain input {...}
}
ip6 nftban { # IPv6 rules
set whitelist_ipv6 {...}
set blacklist_ipv6 {...}
chain input {...}
}
Components
| Component | Type | Description |
|---|---|---|
nftban |
Bash CLI | Main command-line interface (54 commands) |
nftban-core |
Go Binary | Backend for feeds, geoip, sync |
nftban-ui |
Go Binary | Web interface server |
Requirements
- Linux: Rocky/Alma/RHEL 9-10, CentOS Stream 9-10, Ubuntu 22.04+, Debian 12+
- nftables: 1.0+ (native backend)
- Bash: 4.4+
- systemd: 252+ (sysusers.d, tmpfiles.d support)
- jq: JSON processor (auto-installed)
- yq: YAML processor (auto-installed)
- Go 1.21+: For building from source (optional)
Supported Platforms
NFTBan uses a tiered support model. See the full platform contract for details.
Tier 0 — Primary (CI-Required)
| Family | Platform | Kernel | nftables |
|---|---|---|---|
| DEB | Ubuntu 24.04 LTS | 6.8 | 1.0 |
| DEB | Debian 12 | 6.1 | 1.0 |
| RPM | Rocky Linux 9.x | 5.14 | 1.0 |
Tier 1 — Future (Planned)
- Rocky Linux 10.x / AlmaLinux 10.x / RHEL 10
- Debian 13 (Trixie)
- Ubuntu 26.04 LTS
Tier 2 — Legacy (Best-Effort)
- Rocky/RHEL 8.x, Ubuntu 22.04, Debian 11
Development
NFTBan development uses AI tools for code generation and review. All code is human-reviewed and version-controlled.
| Tool | Use |
|---|---|
| ChatGPT (OpenAI) | Architecture planning |
| Claude (Anthropic) | Implementation, testing, review |
License
Mozilla Public License 2.0 (MPL-2.0)
Copyright (c) 2024-2026 NFTBan Project / Antonios Voulvoulis
Documentation
Getting Started
- Wiki Home — Complete documentation
- CLI Commands Reference — All 54 commands
- Installation Guide — Prerequisites, install, post-config
Integration
- Suricata IDS Integration — IDS/IPS setup guide
Security
- Security Policy — Vulnerability reporting
- Security Architecture — Access control, Polkit integration
- Security Operations Guide — Hardening, monitoring, procedures
Community
- Website: https://nftban.com
- Report Bug
- Discussions
NFTBan — Linux IPS & nftables Firewall Manager
nftban.com |
Report Issue |
Discussions
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
nftban-core
command
|
|
|
nftban-ui
command
|
|
|
nftban-ui-auth
command
|
|
|
nftband
command
|
|
|
internal
|
|
|
authproto
Package authproto defines shared authentication protocol types Used by both pkg/auth and cmd/nftban-ui-auth to ensure consistency
|
Package authproto defines shared authentication protocol types Used by both pkg/auth and cmd/nftban-ui-auth to ensure consistency |
|
pkg
|
|
|
analytics
Package analytics provides efficient batch operations for report generation
|
Package analytics provides efficient batch operations for report generation |
|
api
Package api provides HTTP handlers for the NFTBan web interface and REST API.
|
Package api provides HTTP handlers for the NFTBan web interface and REST API. |
|
banlog
SPDX-License-Identifier: MPL-2.0 Copyright (c) 2025 Antonios Voulvoulis <contact@nftban.com>
|
SPDX-License-Identifier: MPL-2.0 Copyright (c) 2025 Antonios Voulvoulis <contact@nftban.com> |
|
feeds
Package feeds handles threat intelligence feed processing for NFTBan.
|
Package feeds handles threat intelligence feed processing for NFTBan. |
|
ipc
Package ipc provides inter-process communication for the NFTBan daemon architecture.
|
Package ipc provides inter-process communication for the NFTBan daemon architecture. |
|
logx
Package logx provides structured logging wrappers for NFTBan This centralizes log prefixes and makes future enhancements (JSON logs, levels) easier
|
Package logx provides structured logging wrappers for NFTBan This centralizes log prefixes and makes future enhancements (JSON logs, levels) easier |
|
metrics
Package metrics provides efficient metrics collection for NFTBan This collector replaces slow bash-based metrics with fast Go implementation
|
Package metrics provides efficient metrics collection for NFTBan This collector replaces slow bash-based metrics with fast Go implementation |
|
netutil
Package netutil provides network utility functions for NFTBan Centralizes IP address handling, whitelist checking, and CIDR operations
|
Package netutil provides network utility functions for NFTBan Centralizes IP address handling, whitelist checking, and CIDR operations |
|
nftbackend
Package nftbackend provides the core interface to nftables operations.
|
Package nftbackend provides the core interface to nftables operations. |
|
safety
Package safety provides protection mechanisms to prevent self-lockout and ensure system stability during firewall operations.
|
Package safety provides protection mechanisms to prevent self-lockout and ensure system stability during firewall operations. |
|
session
Package session provides simple in-memory session management for nftban-ui.
|
Package session provides simple in-memory session management for nftban-ui. |
|
sync
Package sync provides efficient synchronization of IP sets with nftables.
|
Package sync provides efficient synchronization of IP sets with nftables. |
|
system
Package system provides unified system lookup utilities
|
Package system provides unified system lookup utilities |
|
timeutil
SPDX-License-Identifier: MPL-2.0 Copyright (c) 2025 Antonios Voulvoulis <contact@nftban.com>
|
SPDX-License-Identifier: MPL-2.0 Copyright (c) 2025 Antonios Voulvoulis <contact@nftban.com> |
|
util
SPDX-License-Identifier: MPL-2.0 Copyright (c) 2025 Antonios Voulvoulis <contact@nftban.com>
|
SPDX-License-Identifier: MPL-2.0 Copyright (c) 2025 Antonios Voulvoulis <contact@nftban.com> |
|
watchdog
============================================================================= NFTBan v1.0 - Dynamic Watchdog Package ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="doc" meta:type="package" meta:version="1.0.0" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:description="Package documentation for NFTBan watchdog system" meta:inventory.files="" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="none" =============================================================================
|
============================================================================= NFTBan v1.0 - Dynamic Watchdog Package ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="doc" meta:type="package" meta:version="1.0.0" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:description="Package documentation for NFTBan watchdog system" meta:inventory.files="" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="none" ============================================================================= |
Click to show internal directories.
Click to hide internal directories.