Linux Intrusion Prevention System & nftables Firewall Manager
NFTBan is an open-source Linux Intrusion Prevention System (IPS) and firewall manager built on nftables, designed to integrate cleanly with modern Linux security stacks.
It provides automated threat detection and response using native nftables for kernel-level enforcement, with Polkit-based privilege separation for secure operation without full root access.
BETA | Tested on 5 lab servers. Community feedback needed from diverse environments. Report issues here.
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb
sudo apt update && sudo apt install -y ./nftban-ubuntu24.04-amd64.deb && sudo nftban enablewget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb
sudo apt update && sudo apt install -y ./nftban-debian12-amd64.deb && sudo nftban enablesudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm
sudo dnf install -y nftban-el9-x86_64.rpm && sudo nftban enablewget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian13-amd64.deb
sudo apt update && sudo apt install -y ./nftban-debian13-amd64.deb && sudo nftban enablesudo dnf install -y epel-release && sudo dnf config-manager --set-enabled crb
wget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm
sudo dnf install -y nftban-el10-x86_64.rpm && sudo nftban enablewget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb
sudo apt update && sudo apt install -y ./nftban-ubuntu22.04-amd64.deb && sudo nftban enablegit clone https://github.com/itcmsgr/nftban.git && cd nftban
sudo ./install.sh cli # CLI-only (~50MB RAM)
# or
sudo ./install.sh gui # Full with Web GUI (~200MB RAM)| Tier | Distribution | Version | Package |
|---|---|---|---|
| 0 | Rocky / Alma / RHEL / CentOS Stream | 9 | nftban-el9-x86_64.rpm |
| 1 | Rocky / Alma / RHEL / CentOS Stream | 10 | nftban-el10-x86_64.rpm |
| Tier | Distribution | Version | Package |
|---|---|---|---|
| 0 | Ubuntu | 24.04 (Noble) | nftban-ubuntu24.04-amd64.deb |
| 0 | Debian | 12 (Bookworm) | nftban-debian12-amd64.deb |
| 1 | Debian | 13 (Trixie) | nftban-debian13-amd64.deb |
| 2 | Ubuntu | 22.04 (Jammy) | nftban-ubuntu22.04-amd64.deb |
Packages are distro-specific and FHS compliant. Use the package matching your exact distribution version. See Supported Platforms for the full platform contract.
| Feature | Description |
|---|---|
| Threat Intelligence Feeds | Automatic blocking from Spamhaus, AbuseIPDB, Firehol |
| Geographic Blocking | Block or allow traffic by country code |
| Login Monitoring | Detects SSH brute-force and suspicious authentication patterns |
| Port Scan Detection | Automatic detection and blocking of reconnaissance |
| DDoS Protection | Rate limiting, SYN flood protection, connection limits |
| Suricata IDS Integration | Optional deep packet inspection |
| Prometheus Metrics | Observability for monitoring stacks |
| Connectors | Export to Elasticsearch, Kafka, syslog, webhook |
# Verify installation
nftban version
nftban health summary
# Enable protection modules
nftban login enable # SSH login monitoring
nftban feeds enable # Threat intelligence feeds
nftban portscan enable # Port scan detection
# Optional: Suricata IDS integration
nftban suricata install # Install Suricata IDS
nftban suricata enable # Enable with weekly rule updates
# Common operations
nftban ban 1.2.3.4 # Block IP
nftban unban 1.2.3.4 # Remove ban
nftban search 1.2.3.4 # Search across all sets
nftban firewall reload # Atomic reload
# Check status
nftban statusnftban status # System overview
nftban health # Diagnostics with auto-heal
nftban validate # Firewall structure validation
nftban services # Systemd services status
nftban configtest # Validate config against schemanftban ban <IP> # Ban IP (with optional timeout)
nftban unban <IP> # Remove ban
nftban search <IP> # Search across all sets
nftban whitelist add # Add to whitelistnftban login status # SSH login monitoring
nftban feeds list # Threat feed status
nftban geoban list # Geographic blocking
nftban portscan status # Port scan detection
nftban ddos status # DDoS protectionSee CLI Commands Reference for complete documentation.
ip nftban { # IPv4 rules
set whitelist_ipv4 {...}
set blacklist_ipv4 {...}
set feeds_ipv4 {...}
set geoban_ipv4 {...}
chain input {...}
}
ip6 nftban { # IPv6 rules
set whitelist_ipv6 {...}
set blacklist_ipv6 {...}
chain input {...}
}
| Component | Type | Description |
|---|---|---|
nftban |
Bash CLI | Main command-line interface (54 commands) |
nftban-core |
Go Binary | Backend for feeds, geoip, sync |
nftban-ui |
Go Binary | Web interface server |
- Linux: Rocky/Alma/RHEL 9-10, CentOS Stream 9-10, Ubuntu 22.04+, Debian 12+
- nftables: 1.0+ (native backend)
- Bash: 4.4+
- systemd: 252+ (sysusers.d, tmpfiles.d support)
- jq: JSON processor (auto-installed)
- yq: YAML processor (auto-installed)
- Go 1.21+: For building from source (optional)
NFTBan uses a tiered support model. See the full platform contract for details.
| Family | Platform | Kernel | nftables |
|---|---|---|---|
| DEB | Ubuntu 24.04 LTS | 6.8 | 1.0 |
| DEB | Debian 12 | 6.1 | 1.0 |
| RPM | Rocky Linux 9.x | 5.14 | 1.0 |
- Rocky Linux 10.x / AlmaLinux 10.x / RHEL 10
- Debian 13 (Trixie)
- Ubuntu 26.04 LTS
- Rocky/RHEL 8.x, Ubuntu 22.04, Debian 11
NFTBan development uses AI tools for code generation and review. All code is human-reviewed and version-controlled.
| Tool | Use |
|---|---|
| ChatGPT (OpenAI) | Architecture planning |
| Claude (Anthropic) | Implementation, testing, review |
Mozilla Public License 2.0 (MPL-2.0)
Copyright (c) 2024-2026 NFTBan Project / Antonios Voulvoulis
- Wiki Home — Complete documentation
- CLI Commands Reference — All 54 commands
- Installation Guide — Prerequisites, install, post-config
- Suricata IDS Integration — IDS/IPS setup guide
- Security Policy — Vulnerability reporting
- Security Architecture — Access control, Polkit integration
- Security Operations Guide — Hardening, monitoring, procedures
- Website: https://nftban.com
- Report Bug
- Discussions
NFTBan — Linux IPS & nftables Firewall Manager
nftban.com |
Report Issue |
Discussions