diff options
Diffstat (limited to 'guix/nftables.conf')
| -rw-r--r-- | guix/nftables.conf | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/guix/nftables.conf b/guix/nftables.conf new file mode 100644 index 0000000..c6f0ebc --- /dev/null +++ b/guix/nftables.conf @@ -0,0 +1,54 @@ +table inet filter { # https://www.cloudflare.com/ips-v4 + set cloudflare_ipv4 { + type ipv4_addr + flags interval + elements = { + 173.245.48.0/20, + 103.21.244.0/22, + 103.22.200.0/22, + 103.31.4.0/22, + 141.101.64.0/18, + 108.162.192.0/18, + 190.93.240.0/20, + 188.114.96.0/20, + 197.234.240.0/22, + 198.41.128.0/17, + 162.158.0.0/15, + 104.16.0.0/13, + 104.24.0.0/14, + 172.64.0.0/13, + 131.0.72.0/22 + } + } + + # https://www.cloudflare.com/ips-v6 + set cloudflare_ipv6 { + type ipv6_addr + flags interval + elements = { + 2400:cb00::/32, + 2606:4700::/32, + 2803:f800::/32, + 2405:b500::/32, + 2405:8100::/32, + 2a06:98c0::/29, + 2c0f:f248::/32 + } + } + + chain output { + type filter hook output priority 0 + policy accept + + ip daddr @cloudflare_ipv4 counter reject + ip6 daddr @cloudflare_ipv6 counter reject + } + + chain input { + type filter hook output priority 0 + policy accept + + ip saddr @cloudflare_ipv4 counter reject + ip6 saddr @cloudflare_ipv6 counter reject + } +} |