From 3f6c1273636b21e14401ca818f01b5ada10669a8 Mon Sep 17 00:00:00 2001
From: Nguyễn Gia Phong <mcsinyx@disroot.org>
Date: Fri, 3 Mar 2023 13:52:03 +0900
Subject: Block clown flare on laptop

---
 nix/configuration.nix | 80 +++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 74 insertions(+), 6 deletions(-)

diff --git a/nix/configuration.nix b/nix/configuration.nix
index b346b63..cc9d6ef 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -28,20 +28,88 @@
 
   networking = {
     hostName = "nix";
-    hosts = {
-      "0.0.0.0" = [ "9gag.com" "voz.vn" ];
-      "23.227.135.186" = [ "halogen.city" ];
-      "37.205.11.127" = [ "loang.net" "than.loang.net" ];
+    hosts = let
+      loang = [
+        "danh.loang.net" "tin.loang.net" "than.loang.net" "xem.loang.net"
+        "cnx.gdn" "cmx.cnx.gdn" "px.cnx.gdn" "src.cnx.gdn"
+      ];
+    in {
+      "127.0.0.1" = [ "9gag.com" "voz.vn" ];
+      "37.205.11.127" = loang;
+      "2a03:3b40:100::1:2" = loang;
     };
     nameservers = [
-      "84.200.69.80" "84.200.70.40"
-      "2001:1608:10:25::1c04:b12f" "2001:1608:10:25::9249:d69b"
+      # ns5.ca.us.dns.opennic.glue
+      "137.184.12.79" "2604:a880:4:1d0::4d:e000"
+      # ns4.au.dns.opennic.glue
+      "168.138.8.38" "2603:c023:c002:f4aa:a208:5df4:ee55:b70a"
     ];
     networkmanager = {
       enable = true;
       insertNameservers = config.networking.nameservers;
     };
 
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table inet filter {
+          # https://www.cloudflare.com/ips-v4
+          set cloudflare_ipv4 {
+            type ipv4_addr
+            flags interval
+            elements = {
+              173.245.48.0/20,
+              103.21.244.0/22,
+              103.22.200.0/22,
+              103.31.4.0/22,
+              141.101.64.0/18,
+              108.162.192.0/18,
+              190.93.240.0/20,
+              188.114.96.0/20,
+              197.234.240.0/22,
+              198.41.128.0/17,
+              162.158.0.0/15,
+              104.16.0.0/13,
+              104.24.0.0/14,
+              172.64.0.0/13,
+              131.0.72.0/22
+            }
+          }
+
+          # https://www.cloudflare.com/ips-v6
+          set cloudflare_ipv6 {
+            type ipv6_addr
+            flags interval
+            elements = {
+              2400:cb00::/32,
+              2606:4700::/32,
+              2803:f800::/32,
+              2405:b500::/32,
+              2405:8100::/32,
+              2a06:98c0::/29,
+              2c0f:f248::/32
+            }
+          }
+
+          chain output {
+            type filter hook output priority 0
+            policy accept
+
+            ip daddr @cloudflare_ipv4 counter reject
+            ip6 daddr @cloudflare_ipv6 counter reject
+          }
+
+          chain input {
+            type filter hook output priority 0
+            policy accept
+
+            ip saddr @cloudflare_ipv4 counter reject
+            ip6 saddr @cloudflare_ipv6 counter reject
+          }
+        }
+      '';
+    };
+
     interfaces = {
       enp1s0.useDHCP = true;
       wlp2s0.useDHCP = true;
-- 
cgit 1.4.1