mimas: block alibaba and tencent

These networks keep scraping hydra.nixos.org with a high request rate
across a wide range of IP addresses with bogus user-agents.

They did it, they made me develop a tool to lookup prefixes for an AS
and block them from accessing tcp/443 using an nftable set match.

Author: mweinelt

build/mimas/default.nix

@@ -4,6 +4,7 @@
     ../hydra.nix
     ../hydra-proxy.nix
     ./boot.nix
+    ./firewall.nix
     ./network.nix
   ];
 

build/mimas/firewall.nix

@@ -0,0 +1,81 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  blockedAutNums = [
+    45102 # ALIBABA-CN-NET
+    132203 # TENCENT-NET-AP-CN
+  ];
+in
+
+{
+  networking.nftables = {
+    tables."abuse" = {
+      family = "inet";
+      content = ''
+        set ipv4blocks {
+          type ipv4_addr;
+          flags interval;
+          auto-merge;
+        }
+        set ipv6blocks {
+          type ipv6_addr;
+          auto-merge;
+          flags interval;
+        }
+        chain input-abuse {
+          type filter hook input priority filter - 5;
+
+          ip saddr @ipv4blocks tcp dport 443 counter drop;
+          ip6 saddr @ipv6blocks tcp dport 443 counter drop;
+        }
+      '';
+    };
+  };
+
+  systemd.services.nft-prefix-import = {
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = with pkgs; [ nftables ];
+    environment.USER_AGENT = "NixOS.org Infrastructure - [email protected]";
+    serviceConfig = {
+      Type = "oneshot";
+      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+      DynamicUser = true;
+      User = "nft-asblock";
+      Group = "nft-asblock";
+      ExecStart = toString (
+        [
+          (lib.getExe inputs.nft-prefix-import.packages.${pkgs.hostPlatform.system}.default)
+          "--table"
+          "abuse"
+          "--ipv4set"
+          "ipv4blocks"
+          "--ipv6set"
+          "ipv6blocks"
+        ]
+        ++ blockedAutNums
+      );
+      RestrictAddressFamilies = [
+        "AF_NETLINK"
+        "AF_INET"
+        "AF_INET6"
+      ];
+      StateDirectory = "nft-prefix-import";
+      WorkingDirectory = "/var/lib/nft-prefix-import";
+    };
+  };
+
+  systemd.timers.nft-prefix-import = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "0/6:00";
+      RandomizedDelaySec = 3600;
+    };
+  };
+}

flake.lock

@@ -70,6 +70,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nft-prefix-import = {
+      url = "github:mweinelt/nft-prefix-import";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
     srvos = {
       url = "github:numtide/srvos";
       inputs.nixpkgs.follows = "nixpkgs";