From 93b7118de92d57b8f60b6badce2a4f5332805ea5 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 17 Nov 2022 16:55:21 +0100 Subject: [PATCH] hosts/VEGAS: drop all outgoing traffic to private IP addresses --- hosts/VEGAS/system.nix | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index 3dd714c..733d07b 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -63,7 +63,38 @@ services.openssh.enable = true; - networking.firewall.enable = true; + networking.firewall = { + enable = true; + extraCommands = let + privateIp4Ranges = [ + "10.0.0.0/8" + "100.64.0.0/10" + "169.254.0.0/16" + "172.16.0.0/12" + "192.0.0.0/24" + "192.0.2.0/24" + "192.168.0.0/16" + "198.18.0.0/15" + "198.51.100.0/24" + "203.0.113.0/24" + "240.0.0.0/4" + ]; + + privateIp6Ranges = [ + "100::/64" + "2001:2::/48" + "2001:db8::/32" + "fc00::/7" + "fe80::/10" + ]; + + mkRules = ipt: ranges: map (x: "${ipt} -I nixos-fw 1 -d ${x} -o ${hosts.${config.networking.hostName}.interfaces.primary.link} -j DROP") ranges; + + rules4 = mkRules "iptables" privateIp4Ranges; + + rules6 = mkRules "ip6tables" privateIp6Ranges; + in builtins.concatStringsSep "\n" (rules4 ++ rules6); + }; system.stateVersion = "21.05"; services.openssh.passwordAuthentication = false;