I was kind of reading today that facebook is quite abusive with their ai tools. So I decided to fight fire with fire. I had the ai (gemini in this case) write the following script to BLOCK all ipv4 access from facebook properties to your site! Its in nftables format. It does require jq an the iprange command to be installed. To apply might be more to do, but its a start.
#!/bin/bash
#
# Populates an nftables set with Facebook/Meta's public IPv4 prefixes
# by coalescing announced routes from RIPE.
#
# Requires: curl, jq, nft, iprange
# Exit on error, on unset variables, and on pipe failures
set -euo pipefail
# --- Configuration ---
TABLE_NAME="facebook_block"
TABLE_FAMILY="inet"
SET_V4="ipv4_prefixes"
CHAIN_NAME="forward"
ASN="AS32934" # This is the ASN for Meta/Facebook
RIPE_URL="https://stat.ripe.net/data/announced-prefixes/data.json?resource=${ASN}"
# --- 1. Create Table, Set, and Chain (if they don't exist) ---
# We add '2>/dev/null || true' to make these commands idempotent.
# They will silently fail and continue if the objects already exist.
echo "Ensuring table, set, and chain exist..."
nft "add table $TABLE_FAMILY $TABLE_NAME" 2>/dev/null || true
nft "add set $TABLE_FAMILY $TABLE_NAME $SET_V4 { type ipv4_addr; flags interval; }" 2>/dev/null || true
nft "add chain $TABLE_FAMILY $TABLE_NAME $CHAIN_NAME { type filter hook forward priority filter; policy accept; }" 2>/dev/null || true
# --- 2. Add Rules to Chain (flushing first) ---
# This ensures we have a clean, correct set of rules.
echo "Resetting rules in chain '$CHAIN_NAME'..."
nft "flush chain $TABLE_FAMILY $TABLE_NAME $CHAIN_NAME"
nft "add rule $TABLE_FAMILY $TABLE_NAME $CHAIN_NAME ip daddr @$SET_V4 drop"
nft "add rule $TABLE_FAMILY $TABLE_NAME $CHAIN_NAME ip saddr @$SET_V4 drop"
# --- 3. Fetch, Parse, and Populate IPs ---
echo "Fetching JSON prefix list from RIPE API for $ASN..."
# Fetch the IP list using curl, parse it with jq
# We select .data.prefixes, iterate over each, and get the .prefix value
IP_LIST=$(curl -sL "$RIPE_URL" | jq -r '.data.prefixes[].prefix')
if [ -z "$IP_LIST" ]; then
echo "Error: Failed to download or parse IP list. Output was empty."
exit 1
fi
echo "IP list downloaded. Coalescing (merging) IPv4 ranges with iprange..."
# Filter for IPv4 (lines *not* containing ':')
# Pipe to 'iprange --optimize' to merge all overlapping/contained ranges
# 'paste -sd,' joins all resulting lines with a comma for nft
IPV4_LIST=$(echo "$IP_LIST" | grep -v ':' | iprange --optimize | paste -sd, -)
# --- 4. Flush and Add Elements to Set ---
# We flush the set first to remove any old IPs
if [ -n "$IPV4_LIST" ]; then
echo "Populating set '$SET_V4' with $(echo "$IPV4_LIST" | tr ',' '\n' | wc -l) coalesced prefixes..."
nft "flush set $TABLE_FAMILY $TABLE_NAME $SET_V4"
nft "add element $TABLE_FAMILY $TABLE_NAME $SET_V4 { $IPV4_LIST }"
else
echo "No IPv4 prefixes found to add."
fi
echo "---"
echo "Script finished. Your ruleset should now be populated."
echo "Verify with: sudo nft list ruleset"