koi.rip
my nixos dotfiles :3 (git.koi.rip mirror)
git.koi.rip/koi/dotfiles
linux
dotfiles
neovim
nixos
catppuccin
base: block censys shit
+41
-2
modules/base/networking.nix
+41
-2
modules/base/networking.nix
···
4
4
firewall = {
5
5
enable = true;
6
6
extraCommands = ''
7
-
iptables -I INPUT 1 -p tcp --dport 22 -m conntrack --ctstate NEW \
7
+
set -euo pipefail
8
+
9
+
ensure_rule() {
10
+
if ! iptables -C INPUT "$@" 2>/dev/null; then
11
+
iptables -I INPUT 1 "$@"
12
+
fi
13
+
}
14
+
ensure_rule6() {
15
+
if ! ip6tables -C INPUT "$@" 2>/dev/null; then
16
+
ip6tables -I INPUT 1 "$@"
17
+
fi
18
+
}
19
+
20
+
v4blocklist=(
21
+
'66.132.159.0/24'
22
+
'162.142.125.0/24'
23
+
'167.94.138.0/24'
24
+
'167.94.145.0/24'
25
+
'167.94.146.0/24'
26
+
'167.248.133.0/24'
27
+
'199.45.154.0/24'
28
+
'199.45.155.0/24'
29
+
'206.168.34.0/24'
30
+
'206.168.35.0/24'
31
+
)
32
+
v6blocklist=(
33
+
'2602:80d:1000:b0cc:e::/80'
34
+
'2620:96:e000:b0cc:e::/80'
35
+
'2602:80d:1003::/112'
36
+
'2602:80d:1004::/112'
37
+
)
38
+
39
+
for ip in "''${v4blocklist[@]}"; do
40
+
ensure_rule -s "$ip" -j DROP
41
+
done
42
+
for ip in "''${v6blocklist[@]}"; do
43
+
ensure_rule6 -s "$ip" -j DROP
44
+
done
45
+
46
+
ensure_rule -p tcp --dport 22 -m conntrack --ctstate NEW \
8
47
-m recent --name SSH --rsource --update --seconds 120 --hitcount 10 -j DROP
9
-
iptables -I INPUT 2 -p tcp --dport 22 -m conntrack --ctstate NEW \
48
+
ensure_rule -p tcp --dport 22 -m conntrack --ctstate NEW \
10
49
-m recent --name SSH --rsource --set
11
50
'';
12
51
};