diff --git a/config/bittorrent-blocker.nix b/config/bittorrent-blocker.nix new file mode 100644 index 00000000..2e526d6c --- /dev/null +++ b/config/bittorrent-blocker.nix @@ -0,0 +1,50 @@ +{ ... }: { + networking.firewall.extraCommands = '' + # Taken from https://gist.github.com/rampageX/5cbe95be43ca3165f4d963629e3bb946 + # Block Torrent algo string using Boyer-Moore (bm) + iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP + iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP + iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP + iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP + iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP + iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP + iptables -A FORWARD -m string --algo bm --string "announce" -j DROP + iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP + iptables -A FORWARD -m string --algo bm --string "/default.ida?" -j DROP + iptables -A FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP + iptables -A FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP + ip6tables -A FORWARD -m string --algo bm --string ".torrent" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "torrent" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "announce" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "info_hash" -j DROP + ip6tables -A FORWARD -m string --algo bm --string "/default.ida?" -j DROP + ip6tables -A FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP + ip6tables -A FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP + # Block Torrent keys + iptables -A FORWARD -m string --algo kmp --string "peer_id" -j DROP + iptables -A FORWARD -m string --algo kmp --string "BitTorrent" -j DROP + iptables -A FORWARD -m string --algo kmp --string "BitTorrent protocol" -j DROP + iptables -A FORWARD -m string --algo kmp --string "bittorrent-announce" -j DROP + iptables -A FORWARD -m string --algo kmp --string "announce.php?passkey=" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "peer_id" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "BitTorrent" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "BitTorrent protocol" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "bittorrent-announce" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "announce.php?passkey=" -j DROP + # Block Distributed Hash Table (DHT) keywords + iptables -A FORWARD -m string --algo kmp --string "find_node" -j DROP + iptables -A FORWARD -m string --algo kmp --string "info_hash" -j DROP + iptables -A FORWARD -m string --algo kmp --string "get_peers" -j DROP + iptables -A FORWARD -m string --algo kmp --string "announce" -j DROP + iptables -A FORWARD -m string --algo kmp --string "announce_peers" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "find_node" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "info_hash" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "get_peers" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "announce" -j DROP + ip6tables -A FORWARD -m string --algo kmp --string "announce_peers" -j DROP + ''; +} diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 05a0f418..ba22b967 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -20,6 +20,7 @@ ./services/loki.nix ./services/reverse-proxy.nix ./services/matrix-media-repo.nix + ./bittorrent-blocker.nix ]; boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];