Skip to content

Commit ee196d0

Browse files
mweineltmweinelt
committed
mimas: migrate to nftables and configure whole as blocks
1 parent 31a774b commit ee196d0

File tree

4 files changed

+106
-0
lines changed

4 files changed

+106
-0
lines changed

build/mimas/default.nix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
../hydra.nix
55
../hydra-proxy.nix
66
./boot.nix
7+
./firewall.nix
78
./network.nix
89
];
910

build/mimas/firewall.nix

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
{
2+
pkgs,
3+
lib,
4+
inputs,
5+
...
6+
}:
7+
8+
let
9+
blockedAutNums = [
10+
45102 # ALIBABA-CN-NET
11+
132203 # TENCENT-NET-AP-CN
12+
];
13+
in
14+
15+
{
16+
networking.nftables = {
17+
enable = true;
18+
tables."abuse" = {
19+
family = "inet";
20+
content = ''
21+
set ipv4blocks {
22+
type ipv4_addr;
23+
flags interval, timeout;
24+
auto-merge;
25+
timeout 12h;
26+
}
27+
set ipv6blocks {
28+
type ipv6_addr;
29+
auto-merge;
30+
flags interval, timeout;
31+
timeout 12h;
32+
}
33+
chain input-abuse {
34+
type filter hook input priority filter - 5;
35+
36+
ip saddr @ipv4blocks tcp dport 443 counter drop;
37+
ip6 saddr @ipv6blocks tcp dport 443 counter drop;
38+
}
39+
'';
40+
};
41+
};
42+
43+
systemd.services.nft-prefix-import = {
44+
wants = [ "network-online.target" ];
45+
after = [ "network-online.target" ];
46+
wantedBy = [ "multi-user.target" ];
47+
path = with pkgs; [ nftables ];
48+
environment.USER_AGENT = "NixOS.org Infrastructure - [email protected]";
49+
serviceConfig = {
50+
Type = "oneshot";
51+
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
52+
DynamicUser = true;
53+
User = "nft-asblock";
54+
Group = "nft-asblock";
55+
ExecStart = toString (
56+
[
57+
(lib.getExe inputs.nft-prefix-import.packages.${pkgs.hostPlatform.system}.default)
58+
"--table"
59+
"abuse"
60+
"--ipv4set"
61+
"ipv4blocks"
62+
"--ipv6set"
63+
"ipv6blocks"
64+
]
65+
++ blockedAutNums
66+
);
67+
StateDirectory = "nft-prefix-import";
68+
WorkingDirectory = "/var/lib/nft-prefix-import";
69+
};
70+
};
71+
72+
systemd.timers.nft-prefix-import = {
73+
wantedBy = [ "timers.target" ];
74+
timerConfig = {
75+
OnCalendar = "0/4:00";
76+
RandomizedDelaySec = 3600;
77+
};
78+
};
79+
}

flake.lock

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

flake.nix

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,11 @@
7070
inputs.nixpkgs.follows = "nixpkgs";
7171
};
7272

73+
nft-prefix-import = {
74+
url = "github:mweinelt/nft-prefix-import";
75+
inputs.nixpkgs.follows = "nixpkgs-unstable";
76+
};
77+
7378
srvos = {
7479
url = "github:numtide/srvos";
7580
inputs.nixpkgs.follows = "nixpkgs";

0 commit comments

Comments
 (0)