commit 62adbf5cbb262ffcbe3aaf373eb51893b36b9d51 Author: Minecon724 Date: Sun Jul 21 12:30:38 2024 +0200 initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..382f8dd --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +this script makes nftables allows only bunny.net ips on some port so it's a must if you're using that cdn \ + +# Usage +By default it only affects port `31491`, oddly specific but that's because it's recommended to use a random port for hidden services. But if you use it it's not random anymore so get your own \ +You can also add your own filter rules \ +You must schedule the script, like with crontab or systemd. \ +The output ruleset is saved in `rules.nft` and ⚠️ `sudo nft -f rules.nft` is executed to apply that ruleset. The reason ⚠️ is because you might not want to do sudo and instead do safer stuff like I don't know \ +Only legacy internet protocol (also called IPv4 (ew)) is supported at this time. Not my fault diff --git a/update.py b/update.py new file mode 100644 index 0000000..7d3a7a7 --- /dev/null +++ b/update.py @@ -0,0 +1,31 @@ +import requests +import json +import os + +print("Downloading...") + +data = requests.get('https://bunnycdn.com/api/system/edgeserverlist').text +ips = json.loads(data) + +print("Compiling...") +text = """#!/usr/sbin/nft -f + +table inet bunny { + chain input { + type filter hook input priority 10; + tcp dport != 31491 return; +""" + +for ip in ips: + text += f" ip saddr {ip} accept;\n" + +text += """ drop; + } +}""" + +file = open('rules.nft', 'w') +file.write(text) +file.close() + +print("Submitting...") +os.system('sudo nft -f rules.nft')