Enterprise-Grade | Atomic Updates | Polkit-Secured | AI-Ready
NFTBAN (NFTables BAN actions) is a high-performance firewall management system designed for modern Linux environments. Moving beyond legacy iptables-based scripts, NFTBAN provides a resilient, self-healing network defense layer by combining the raw power of nftables with advanced privilege separation and real-time threat intelligence.
- ⚡ Atomic Performance — Leverages native nftables for near-instant rule updates without flushing connections
- 🔐 Security First — Uses Polkit for granular privilege separation; management without needing full root access
- 🤖 Intelligent Defense — Integrated AI-assisted threat intelligence for proactive and self-healing network protection
- 🌐 Hosting Ready — Built-in support for DirectAdmin, cPanel, CWP, CyberPanel, and custom panels
BETA TESTING | We are actively finding and fixing bugs. NOT production-ready yet. Tested on 5 lab servers. Community feedback needed from diverse environments. Report issues here.
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb
sudo apt update && sudo apt install -y ./nftban-ubuntu24.04-amd64.deb && sudo nftban enablewget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb
sudo apt update && sudo apt install -y ./nftban-debian12-amd64.deb && sudo nftban enablesudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm
sudo dnf install -y nftban-el9-x86_64.rpm && sudo nftban enablewget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian13-amd64.deb
sudo apt update && sudo apt install -y ./nftban-debian13-amd64.deb && sudo nftban enablesudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm
sudo dnf install -y nftban-el10-x86_64.rpm && sudo nftban enablewget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb
sudo apt update && sudo apt install -y ./nftban-ubuntu22.04-amd64.deb && sudo nftban enablegit clone https://github.com/itcmsgr/nftban.git && cd nftban
sudo ./install.sh cli # CLI-only (~50MB RAM)
# or
sudo ./install.sh gui # Full with Web GUI (~200MB RAM)| Tier | Distribution | Version | Package |
|---|---|---|---|
| 0 | Rocky / Alma / RHEL / CentOS Stream | 9 | nftban-el9-x86_64.rpm |
| 1 | Rocky / Alma / RHEL / CentOS Stream | 10 | nftban-el10-x86_64.rpm |
Note: Fedora is the upstream development platform for RHEL. The
el9package (based on Fedora 34) andel10package (based on Fedora 40) cover enterprise use cases. Fedora users can use the corresponding EL package.
| Tier | Distribution | Version | Package |
|---|---|---|---|
| 0 | Ubuntu | 24.04 (Noble) | nftban-ubuntu24.04-amd64.deb |
| 0 | Debian | 12 (Bookworm) | nftban-debian12-amd64.deb |
| 1 | Debian | 13 (Trixie) | nftban-debian13-amd64.deb |
| 2 | Ubuntu | 22.04 (Jammy) | nftban-ubuntu22.04-amd64.deb |
Packages are distro-specific and FHS compliant. Use the package matching your exact distribution version. See Supported Platforms for the full platform contract. Old versions archived in Releases.
- 49 CLI Commands — Complete firewall management from command line
- Unified Go Backend — High-performance feeds, GeoIP, and sync operations
- Suricata Integration — Intelligent rule management with 50-70% rule reduction
- RBL Monitoring — Real-time blackhole list checking and IP reputation tracking
- Web Interface — Modern dashboard for visual management
- Dual-Table Architecture — Clean IPv4/IPv6 separation with
ip nftbanandip6 nftban - FHS Compliant — Follows Filesystem Hierarchy Standard
- Security Hardened — Systemd sandboxing, capability-based permissions
| Feature | Description |
|---|---|
| Threat Intelligence Feeds | Automatic blocking from Spamhaus, AbuseIPDB, Firehol, etc. |
| Geographic Blocking (GeoBan) | Block/allow traffic by country code |
| Login Monitoring | Detects SSH brute-force and suspicious patterns |
| Port Scan Detection | Automatic detection and blocking of reconnaissance |
| DDoS Protection | Rate limiting, SYN flood protection, connection limits |
| Suricata IDS | Optional deep packet inspection integration |
| Prometheus Metrics | Full observability for monitoring stacks |
| Cloudflare Integration | Auto-whitelist Cloudflare proxy IPs |
# Verify installation
nftban version
nftban health summary
# Enable protection
nftban login enable # SSH login monitoring
nftban feeds enable # Threat intelligence feeds
nftban portscan enable # Port scan detection
# Optional: Advanced IDS integration
nftban suricata install # Install Suricata IDS (automated)
nftban suricata enable # Enable with weekly rule updates
# Common tasks
nftban ban 1.2.3.4 # Block IP
nftban unban 1.2.3.4 # Remove ban
nftban search 1.2.3.4 # Search across all sets
nftban firewall reload # Atomic reload (no downtime)
# Check status
nftban statusnftban status # Quick system overview
nftban health # System diagnostics with auto-heal
nftban validate # Firewall structure validation
nftban services # Systemd services status
nftban configtest # Validate config against schema
nftban configaudit # Audit config for drift and changesnftban ban <IP> # Ban IP (with optional timeout)
nftban unban <IP> # Remove ban
nftban search <IP> # Search across all sets
nftban whitelist add # Add to whitelistnftban login status # SSH login monitoring
nftban feeds list # Threat feed status
nftban geoban list # Geographic blocking
nftban portscan status # Port scan detection
nftban ddos status # DDoS protectionnftban smoke run # Standard smoke test
nftban smoke all # Comprehensive test (44 commands)See CLI Commands Reference for complete documentation.
ip nftban { # IPv4 rules
set whitelist_ipv4 {...}
set blacklist_ipv4 {...}
set feeds_ipv4 {...}
set geoban_ipv4 {...}
chain input {...}
}
ip6 nftban { # IPv6 rules
set whitelist_ipv6 {...}
set blacklist_ipv6 {...}
chain input {...}
}
| Component | Type | Description |
|---|---|---|
nftban |
Bash CLI | Main command-line interface (44 commands) |
nftban-core |
Go Binary | Unified backend (feeds, geoip, sync) |
nftban-ui |
Go Binary | Web interface server |
- Linux: Rocky/Alma/RHEL 9-10, CentOS Stream 9-10, Ubuntu 22.04+, Debian 12+
- nftables: 1.0+ (native backend)
- Bash: 4.4+
- systemd: 252+ (sysusers.d, tmpfiles.d support)
- jq: JSON processor (auto-installed)
- yq: YAML processor (auto-installed via pip3)
- Go 1.21+: For building from source (optional)
NFTBan uses a tiered support model. See the full platform contract for details.
| Family | Platform | Kernel | nftables |
|---|---|---|---|
| DEB | Ubuntu 24.04 LTS | 6.8 | 1.0 |
| DEB | Debian 12 | 6.1 | 1.0 |
| RPM | Rocky Linux 9.x | 5.14 | 1.0 |
NFTBan is correct if it builds and passes receipt-based audit on these platforms.
- Rocky Linux 10.x / AlmaLinux 10.x / RHEL 10
- Debian 13 (Trixie)
- Ubuntu 26.04 LTS
- Rocky/RHEL 8.x, Ubuntu 22.04, Debian 11
NFTBan is developed through ethical AI collaboration combining human expertise with AI capabilities:
| Partner | Role |
|---|---|
| ChatGPT (OpenAI) | Architecture & Design Planning |
| Claude Code (Anthropic) | Implementation & Testing |
| Claude AI (Anthropic) | Review & Optimization |
All AI-generated code is human-reviewed, version-controlled, and transparently attributed.
Mozilla Public License 2.0 (MPL-2.0)
Copyright (c) 2024-2026 NFTBan Project / Antonios Voulvoulis
- Wiki Home - Complete documentation
- CLI Commands Reference - All 44 commands
- Installation Prerequisites - System requirements
- Suricata IDS Integration - Complete guide for Suricata IDS/IPS setup (2-command install, auto-detected profiles, DDoS/portscan integration)
- Security Policy - Vulnerability reporting
- Security Architecture - FHS Auto-Heal, Polkit integration
- Security Operations Guide - Hardening, monitoring, emergency procedures
- Groups and Permissions - Access control model
- Website: https://nftban.com
- Report Bug - Issue tracker
- Discussions - Community forum
NFTBan - Linux Firewall Management via nftables
nftban.com |
Report Issue |
Discussions