Commit ce73d0bd4a54

Vincent Demeester <vincent@sbr.pm>
2026-02-23 15:38:02
fix(kerkouane): block SYN flood subnet and fix VPN CIDR
Blocked 45.233.176.0/22 (active SYN flood source) in both iptables and ip6tables since Caddy listens dual-stack. Added ip6tables connlimit rule. Fixed node exporter firewall rule from /16 to /24 to match actual VPN subnet.
main
1 parent 5771a37
Changed files (1)
systems
kerkouane
extra.nix
systems/kerkouane/extra.nix
@@ -440,10 +440,15 @@ in
     # Additional iptables rules
     extraCommands = ''
       # Allow node exporter (9000) only from VPN network
-      iptables -A nixos-fw -p tcp -s 10.100.0.0/16 --dport 9000 -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.100.0.0/24 --dport 9000 -j nixos-fw-accept
+
+      # Block known SYN flood source (USBINF INFORMATICA LTDA, Brazil)
+      iptables -I nixos-fw 1 -s 45.233.176.0/22 -j DROP
+      ip6tables -I nixos-fw 1 -s ::ffff:45.233.176.0/118 -j DROP
 
       # SYN flood protection: limit new connections per /24 subnet
       iptables -A nixos-fw -p tcp --syn -m connlimit --connlimit-above 30 --connlimit-mask 24 -j DROP
+      ip6tables -A nixos-fw -p tcp --syn -m connlimit --connlimit-above 30 --connlimit-mask 24 -j DROP
     '';
   };
   # Allow Caddy to access public git repositories only (override ProtectHome)