🛡️ NFTBAN: Next-Gen Nftables Firewall

Enterprise-Grade | Atomic Updates | Polkit-Secured | AI-Ready

NFTBAN (NFTables BAN actions) is a high-performance firewall management system designed for modern Linux environments. Moving beyond legacy iptables-based scripts, NFTBAN provides a resilient, self-healing network defense layer by combining the raw power of nftables with advanced privilege separation and real-time threat intelligence.

Why NFTBAN?

• ⚡ Atomic Performance — Leverages native nftables for near-instant rule updates without flushing connections
• 🔐 Security First — Uses Polkit for granular privilege separation; management without needing full root access
• 🤖 Intelligent Defense — Integrated AI-assisted threat intelligence for proactive and self-healing network protection
• 🌐 Hosting Ready — Built-in support for DirectAdmin, cPanel, CWP, CyberPanel, and custom panels

BETA TESTING | We are actively finding and fixing bugs. NOT production-ready yet. Tested on 5 lab servers. Community feedback needed from diverse environments. Report issues here.

---

Quick Install

Rocky / AlmaLinux / RHEL / CentOS Stream 9

sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm
sudo dnf install -y nftban-el9-x86_64.rpm && sudo nftban enable

Rocky / AlmaLinux / RHEL / CentOS Stream 10

sudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm
sudo dnf install -y nftban-el10-x86_64.rpm && sudo nftban enable

Fedora 42

wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-fc42-x86_64.rpm
sudo dnf install -y nftban-fc42-x86_64.rpm && sudo nftban enable

Fedora 43

wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-fc43-x86_64.rpm
sudo dnf install -y nftban-fc43-x86_64.rpm && sudo nftban enable

Ubuntu 22.04

wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb
sudo dpkg -i nftban-ubuntu22.04-amd64.deb && sudo apt-get install -f -y && sudo nftban enable

Ubuntu 24.04

wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb
sudo dpkg -i nftban-ubuntu24.04-amd64.deb && sudo apt-get install -f -y && sudo nftban enable

Debian 12

wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb
sudo dpkg -i nftban-debian12-amd64.deb && sudo apt-get install -f -y && sudo nftban enable

From Source

git clone https://github.com/itcmsgr/nftban.git && cd nftban
sudo ./install.sh cli    # CLI-only (~50MB RAM)
# or
sudo ./install.sh gui    # Full with Web GUI (~200MB RAM)

---

Available Packages

RPM Packages (EL Family + Fedora)

Distribution	Version	Architecture	Package
Rocky / Alma / RHEL / CentOS Stream	9	x86_64	nftban-el9-x86_64.rpm
Rocky / Alma / RHEL / CentOS Stream	10	x86_64	nftban-el10-x86_64.rpm
Fedora	42	x86_64	nftban-fc42-x86_64.rpm
Fedora	43	x86_64	nftban-fc43-x86_64.rpm

DEB Packages (Ubuntu + Debian)

Distribution	Version	Architecture	Package
Ubuntu	22.04 (Jammy)	amd64	nftban-ubuntu22.04-amd64.deb
Ubuntu	24.04 (Noble)	amd64	nftban-ubuntu24.04-amd64.deb
Debian	12 (Bookworm)	amd64	nftban-debian12-amd64.deb

Packages are distro-specific and FHS compliant. Use the package matching your exact distribution version. Old versions archived in Releases.

---

Highlights

• 47 CLI Commands — Complete firewall management from command line
• Unified Go Backend — High-performance feeds, GeoIP, and sync operations
• Suricata Integration — Intelligent rule management with 50-70% rule reduction
• RBL Monitoring — Real-time blackhole list checking and IP reputation tracking
• Web Interface — Modern dashboard for visual management
• Dual-Table Architecture — Clean IPv4/IPv6 separation with ip nftban and ip6 nftban
• FHS Compliant — Follows Filesystem Hierarchy Standard
• Security Hardened — Systemd sandboxing, capability-based permissions

---

Core Features

Feature	Description
Threat Intelligence Feeds	Automatic blocking from Spamhaus, AbuseIPDB, Firehol, etc.
Geographic Blocking (GeoBan)	Block/allow traffic by country code
Login Monitoring	Detects SSH brute-force and suspicious patterns
Port Scan Detection	Automatic detection and blocking of reconnaissance
DDoS Protection	Rate limiting, SYN flood protection, connection limits
Suricata IDS	Optional deep packet inspection integration
Prometheus Metrics	Full observability for monitoring stacks
Cloudflare Integration	Auto-whitelist Cloudflare proxy IPs

---

Quick Start

# Verify installation
nftban version
nftban health summary

# Enable protection
nftban login enable      # SSH login monitoring
nftban feeds enable      # Threat intelligence feeds
nftban portscan enable   # Port scan detection

# Optional: Advanced IDS integration
nftban suricata install  # Install Suricata IDS (automated)
nftban suricata enable   # Enable with weekly rule updates

# Common tasks
nftban ban 1.2.3.4       # Block IP
nftban unban 1.2.3.4     # Remove ban
nftban search 1.2.3.4    # Search across all sets
nftban firewall reload   # Atomic reload (no downtime)

# Check status
nftban status

---

CLI Overview

System & Health

nftban status          # Quick system overview
nftban health          # System diagnostics with auto-heal
nftban validate        # Firewall structure validation
nftban services        # Systemd services status

IP Management

nftban ban <IP>        # Ban IP (with optional timeout)
nftban unban <IP>      # Remove ban
nftban search <IP>     # Search across all sets
nftban whitelist add   # Add to whitelist

Protection Modules

nftban login status    # SSH login monitoring
nftban feeds list      # Threat feed status
nftban geoban list     # Geographic blocking
nftban portscan status # Port scan detection
nftban ddos status     # DDoS protection

Testing

nftban smoke run       # Standard smoke test
nftban smoke all       # Comprehensive test (44 commands)

See CLI Commands Reference for complete documentation.

---

Architecture

ip nftban {                  # IPv4 rules
    set whitelist_ipv4 {...}
    set blacklist_ipv4 {...}
    set feeds_ipv4 {...}
    set geoban_ipv4 {...}
    chain input {...}
}

ip6 nftban {                 # IPv6 rules
    set whitelist_ipv6 {...}
    set blacklist_ipv6 {...}
    chain input {...}
}

Components

Component	Type	Description
nftban	Bash CLI	Main command-line interface (44 commands)
nftban-core	Go Binary	Unified backend (feeds, geoip, sync)
nftban-ui	Go Binary	Web interface server

---

Requirements

• Linux: Rocky/Alma/RHEL 9-10, CentOS Stream 9-10, Ubuntu 22.04+, Debian 12+, Fedora 42+
• nftables: 0.9.3+
• Bash: 4.4+
• systemd: Required
• jq: JSON processor (auto-installed)
• yq: YAML processor (auto-installed via pip3)
• Go 1.21+: For building from source (optional)

---

AI-Assisted Development

NFTBan is developed through ethical AI collaboration combining human expertise with AI capabilities:

Partner	Role
ChatGPT (OpenAI)	Architecture & Design Planning
Claude Code (Anthropic)	Implementation & Testing
Claude AI (Anthropic)	Review & Optimization

All AI-generated code is human-reviewed, version-controlled, and transparently attributed.

---

License

Mozilla Public License 2.0 (MPL-2.0)

Copyright (c) 2024-2026 NFTBan Project / Antonios Voulvoulis

---

Documentation

Getting Started

• Wiki Home - Complete documentation
• CLI Commands Reference - All 44 commands
• Installation Prerequisites - System requirements

Advanced Integration

• Suricata IDS Integration - Complete guide for Suricata IDS/IPS setup (2-command install, auto-detected profiles, DDoS/portscan integration)

Security

• Security Policy - Vulnerability reporting
• Security Architecture - FHS Auto-Heal, Polkit integration
• Security Operations Guide - Hardening, monitoring, emergency procedures
• Groups and Permissions - Access control model

Community

• Website: https://nftban.com
• Report Bug - Issue tracker
• Discussions - Community forum

---

NFTBan - Linux Firewall Management via nftables
nftban.com | Report Issue | Discussions