From 3d0e2ffb23e204f493aada2873a1681dadde0714 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Fri, 29 Aug 2025 10:28:44 -0400
Subject: [PATCH] expand SSH connection limit allowlist

---
 .gitignore                             |  1 +
 deploy-initial                         |  7 +++++--
 etc/nftables/nftables-attestation.conf | 16 ++++++++++++----
 etc/nftables/nftables-discuss.conf     | 16 ++++++++++++----
 etc/nftables/nftables-mail.conf        | 16 ++++++++++++----
 etc/nftables/nftables-matrix.conf      | 16 ++++++++++++----
 etc/nftables/nftables-network.conf     |  2 ++
 etc/nftables/nftables-ns1.conf         |  2 ++
 etc/nftables/nftables-ns2.conf         |  2 ++
 etc/nftables/nftables-social.conf      | 16 ++++++++++++----
 etc/nftables/nftables-web.conf         |  2 ++
 11 files changed, 74 insertions(+), 22 deletions(-)

diff --git a/.gitignore b/.gitignore
index 1a72c11..bd6f93c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 /authorized_keys-staging-attestation
 /passwords/
 /modules/
+/ssh.sh
 /sysctl/
 /tmp
 /units/
diff --git a/deploy-initial b/deploy-initial
index 0340ecc..03173f3 100755
--- a/deploy-initial
+++ b/deploy-initial
@@ -4,6 +4,7 @@ set -o errexit -o nounset -o pipefail
 shopt -s expand_aliases
 
 . hosts.sh
+. ssh.sh
 
 [[ $# -eq 1 ]] || exit 1
 
@@ -59,8 +60,10 @@ sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp
 rsync tmp $remote:/mnt/etc/ssh/sshd_config
 rm tmp
 
-synproxy_threshold=$(( ${hosts_conntrack_size[$host]} / 64 ))
-sed "s/{{synproxy_threshold}}/$synproxy_threshold/g" etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf >tmp
+cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
+sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]} / 64 ))/g" tmp
+sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp
+sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp
 rsync tmp $remote:/mnt/etc/nftables.conf
 rm tmp
 
diff --git a/etc/nftables/nftables-attestation.conf b/etc/nftables/nftables-attestation.conf
index e6278bb..c299326 100644
--- a/etc/nftables/nftables-attestation.conf
+++ b/etc/nftables/nftables-attestation.conf
@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -77,8 +85,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -87,8 +95,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-discuss.conf b/etc/nftables/nftables-discuss.conf
index e18049f..fb37815 100644
--- a/etc/nftables/nftables-discuss.conf
+++ b/etc/nftables/nftables-discuss.conf
@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -80,8 +88,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -90,8 +98,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-mail.conf b/etc/nftables/nftables-mail.conf
index be52f14..f342ba3 100644
--- a/etc/nftables/nftables-mail.conf
+++ b/etc/nftables/nftables-mail.conf
@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     define ip-allowlist-main = {
         51.79.66.27, # attestation.app
         51.79.52.38, # discuss.grapheneos.org
@@ -89,8 +97,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -99,8 +107,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-matrix.conf b/etc/nftables/nftables-matrix.conf
index d8d334f..711c6e2 100644
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -77,8 +85,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -87,8 +95,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf
index 8a8fde9..466a63b 100644
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@@ -4,10 +4,12 @@ flush ruleset
 
 table inet filter {
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         51.222.159.116, # 0.grapheneos.network
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2607:5300:205:200::2584, # 0.grapheneos.network
     }
 
diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index c2ac540..35bd39e 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -7,10 +7,12 @@ table inet filter {
     define ip6-anycast = 2a05:b0c4:1::8
 
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         51.161.34.158, # 0.ns1.grapheneos.org
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2607:5300:205:200::eaa, # 0.ns1.grapheneos.org
     }
 
diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf
index a62fa96..4bfdc0e 100644
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@@ -6,10 +6,12 @@ table inet filter {
     define ip-anycast = 198.251.90.93
 
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         198.98.53.141, # 0.ns2.grapheneos.org
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
     }
 
diff --git a/etc/nftables/nftables-social.conf b/etc/nftables/nftables-social.conf
index 6711a5b..d6d7615 100644
--- a/etc/nftables/nftables-social.conf
+++ b/etc/nftables/nftables-social.conf
@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -77,8 +85,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -87,8 +95,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-web.conf b/etc/nftables/nftables-web.conf
index dd65482..909e8ca 100644
--- a/etc/nftables/nftables-web.conf
+++ b/etc/nftables/nftables-web.conf
@@ -4,11 +4,13 @@ flush ruleset
 
 table inet filter {
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         51.222.156.101, # 0.grapheneos.org
         45.90.185.33, # 0.releases.grapheneos.org
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2607:5300:205:200::29c6, # 0.grapheneos.org
         2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
     }