nfgate
nfgate is a lightweight gRPC daemon that manages nftables firewall rules on a Linux host. It is the on-premises firewall plugin used by SSH Shield — SSH Shield calls nfgate's API to block and query IPs, and nfgate translates those calls into nftables set operations on the host.
gRPC API
The API defines a BlockerService that exposes two RPCs:
BlockIP— adds an IP to the block set for a given duration.IsBlocked— checks whether an IP is currently in the block set.
Configuration
nfgate is configured via a YAML file passed as a command-line argument at startup.
server
| Field | Default | Description |
|---|---|---|
address | required | gRPC listen address (e.g. 0.0.0.0:9090). |
authKey | — | Pre-shared key clients must supply as Authorization: Bearer <key>. Leave empty to disable authentication. |
nftables
| Field | Default | Description |
|---|---|---|
tableName | required | Name of the nftables table nfgate manages. |
setNameV4 | required | Name of the IPv4 set within the table. |
setNameV6 | required | Name of the IPv6 set within the table (reserved — IPv6 blocking is not yet implemented). |
checkBeforeBlock | false | When true, nfgate checks whether the IP is already in the set before adding it. Avoids duplicate-entry errors at the cost of an extra kernel round-trip per ban. |
The table, chains, and sets referenced by tableName, setNameV4, and setNameV6 must exist on the host before nfgate starts. The expected structure is:
table ip <tableName> {
set <setNameV4> {
type ipv4_addr
flags timeout
}
chain input {
type filter hook input priority -1
ip saddr @<setNameV4> drop
}
chain forward {
type filter hook forward priority -1
ip saddr @<setNameV4> drop
}
}
info
Run nfgate setup to create this structure automatically based on the configured table and set names.