Skip to content

Commit f8c0912

Browse files
mweineltmweinelt
committed
mimas: migrate to nftables and configure whole as blocks
1 parent 31a774b commit f8c0912

File tree

4 files changed

+104
-0
lines changed

4 files changed

+104
-0
lines changed

build/mimas/default.nix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
../hydra.nix
55
../hydra-proxy.nix
66
./boot.nix
7+
./firewall.nix
78
./network.nix
89
];
910

build/mimas/firewall.nix

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
{
2+
pkgs,
3+
lib,
4+
inputs,
5+
...
6+
}:
7+
8+
let
9+
blockedAutNums = [
10+
45102 # ALIBABA-CN-NET
11+
132203 # TENCENT-NET-AP-CN
12+
];
13+
in
14+
15+
{
16+
networking.nftables = {
17+
enable = true;
18+
tables."abuse" = {
19+
family = "inet";
20+
content = ''
21+
set ipv4blocks {
22+
type ipv4_addr;
23+
flags interval;
24+
auto-merge;
25+
}
26+
set ipv6blocks {
27+
type ipv6_addr;
28+
auto-merge;
29+
flags interval;
30+
}
31+
chain input-abuse {
32+
type filter hook input priority filter - 5;
33+
34+
ip saddr @ipv4blocks tcp dport 443 counter drop;
35+
ip6 saddr @ipv6blocks tcp dport 443 counter drop;
36+
}
37+
'';
38+
};
39+
};
40+
41+
systemd.services.nft-prefix-import = {
42+
wants = [ "network-online.target" ];
43+
after = [ "network-online.target" ];
44+
wantedBy = [ "multi-user.target" ];
45+
path = with pkgs; [ nftables ];
46+
environment.USER_AGENT = "NixOS.org Infrastructure - [email protected]";
47+
serviceConfig = {
48+
Type = "oneshot";
49+
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
50+
DynamicUser = true;
51+
User = "nft-asblock";
52+
Group = "nft-asblock";
53+
ExecStart = toString (
54+
[
55+
(lib.getExe inputs.nft-prefix-import.packages.${pkgs.hostPlatform.system}.default)
56+
"--table"
57+
"abuse"
58+
"--ipv4set"
59+
"ipv4blocks"
60+
"--ipv6set"
61+
"ipv6blocks"
62+
]
63+
++ blockedAutNums
64+
);
65+
StateDirectory = "nft-prefix-import";
66+
WorkingDirectory = "/var/lib/nft-prefix-import";
67+
};
68+
};
69+
70+
systemd.timers.nft-prefix-import = {
71+
wantedBy = [ "timers.target" ];
72+
timerConfig = {
73+
OnCalendar = "0/6:00";
74+
RandomizedDelaySec = 3600;
75+
};
76+
};
77+
}

flake.lock

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

flake.nix

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,11 @@
7070
inputs.nixpkgs.follows = "nixpkgs";
7171
};
7272

73+
nft-prefix-import = {
74+
url = "github:mweinelt/nft-prefix-import";
75+
inputs.nixpkgs.follows = "nixpkgs-unstable";
76+
};
77+
7378
srvos = {
7479
url = "github:numtide/srvos";
7580
inputs.nixpkgs.follows = "nixpkgs";

0 commit comments

Comments
 (0)