use nftables on all haproxy host for better blacklisting

2026-05-02 00:29:06 +02:00 · 2026-05-02 00:29:06 +02:00 · 66d6857710
commit 66d6857710
parent d0a8fb0c09
2 changed files with 157 additions and 23 deletions
--- a/hosts/v6proxy/default.nix
+++ b/hosts/v6proxy/default.nix
@ -38,16 +38,44 @@
      "9.9.9.9"
      "1.1.1.1"
    ];
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22
-        80
-        443
-      ];
-    };
+    firewall.enable = false;
    nftables = {
      enable = true;
+      ruleset = ''
+        table inet filter {
+          set blacklist4 {
+            type ipv4_addr
+            flags interval
+            # manage at runtime: nft add element inet filter blacklist4 { 1.2.3.0/24 }
+          }
+
+          set blacklist6 {
+            type ipv6_addr
+            flags interval
+            # manage at runtime: nft add element inet filter blacklist6 { 2001:db8::/32 }
+          }
+
+          chain input {
+            type filter hook input priority filter; policy drop;
+
+            iif "lo" accept
+            ct state established,related accept
+
+            ip saddr @blacklist4 drop
+            ip6 saddr @blacklist6 drop
+
+            tcp dport { 22, 80, 443 } accept
+          }
+
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+          }
+
+          chain output {
+            type filter hook output priority filter; policy accept;
+          }
+        }
+      '';
    };
  };

@ -102,7 +130,45 @@
      };
    };

-  environment.systemPackages = with pkgs; [
+  users.users.root.packages = [
+    (pkgs.writeShellScriptBin "nft-blacklist" ''
+      set -euo pipefail
+
+      usage() {
+        echo "Usage: nft-blacklist <add|del> <ip-or-cidr>"
+        echo "  add  - add entry to blacklist set"
+        echo "  del  - remove entry from blacklist set"
+        exit 1
+      }
+
+      [[ $# -ne 2 ]] && usage
+
+      ACTION="$1"
+      ADDR="$2"
+
+      if [[ "$ADDR" == *:* ]]; then
+        SET="blacklist6"
+      elif [[ "$ADDR" == *.* ]]; then
+        SET="blacklist4"
+      else
+        echo "Error: cannot determine address family for '$ADDR'" >&2
+        exit 1
+      fi
+
+      case "$ACTION" in
+        add)
+          ${pkgs.nftables}/bin/nft add element inet filter "$SET" "{ $ADDR }"
+          echo "Added $ADDR to $SET"
+          ;;
+        del)
+          ${pkgs.nftables}/bin/nft delete element inet filter "$SET" "{ $ADDR }"
+          echo "Removed $ADDR from $SET"
+          ;;
+        *)
+          usage
+          ;;
+      esac
+    '')
  ];

  system.stateVersion = "25.11";