From ArchWiki
Jump to navigation Jump to search

Merge-arrows-2.pngThis article or section is a candidate for merging with nftables.Merge-arrows-2.png

Notes: Why copy github README, and why just not include mention of your software as simple 2 line in nftables, see Template:App? (Discuss in Talk:Nft-blackhole#)

nft-blackhole - script / daemon to blocking IP in nftables by country and black lists.


  • download publicly available blacklists and block IPs from them,
  • block or whitelist individual countries,
  • whitelist individual networks or IP addresses,


Install the nft-blackholeAUR package.

Configuration file

In the configuration file /etc/nft-blackhole.conf you can define:

  • IP versions supported (ipv4, ipv6),
  • blocking policy (reject, drop,)
  • network or IP addresses for the white list,
  • blacklist url addresses,
  • list of countries, policy for countries (accept, block)


As root for start systemd unit:

# systemctl start nft-blackhole.service

for enable autostart:

# systemctl enable nft-blackhole.service

List counter packages dropped/accept

# nft list chain inet blackhole input

List table and sets for blackhole

# nft list table inet blackhole

Refresh lists


# systemctl reload nft-blackhole.service

crontab, for example:

0 */6 * * * systemctl reload nft-blackhole.service

Systemd Timer:

# systemctl enable --now nft-blackhole-reload.timer
# systemctl list-timers --all