Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-25 09:13:06 -05:00
Code Issues Projects Releases Packages Wiki Activity

nftables: include our own anycast addresses

Browse source
This commit is contained in:
Daniel Micay 2025-11-13 23:26:56 -05:00
parent d2dcec7e02
commit 1883a539d0
2 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
etc/nftables/nftables-ns1.conf
View file

@ -8,7 +8,7 @@ table inet filter {
define udp-ports = 53 define udp-ports = 53
define ip-anycast = 185.187.152.9 define ip-anycast = 185.187.152.9
define ip6-anycast = 2a05:b0c4:1::8 define ip6-anycast = { 2602:f4d9::1, 2a05:b0c4:1::8 }
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}}, {{ssh_ipv4}},

4
etc/nftables/nftables-ns2.conf
View file

@ -7,7 +7,8 @@ table inet filter {
define tcp-ports-full = { 22, $tcp-ports } define tcp-ports-full = { 22, $tcp-ports }
define udp-ports = 53 define udp-ports = 53
define ip-anycast = 198.251.90.93 define ip-anycast = { 23.149.124.1, 198.251.90.93 }
define ip6-anycast = 2602:f4d9:1::1
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}}, {{ssh_ipv4}},
@ -90,6 +91,7 @@ table inet filter {
udp dport $udp-ports notrack accept udp dport $udp-ports notrack accept
tcp dport 22 ip daddr $ip-anycast drop tcp dport 22 ip daddr $ip-anycast drop
tcp dport 22 ip6 daddr $ip6-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept