mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-11-25 01:03:06 -05:00
expand SSH connection limit allowlist
This commit is contained in:
Daniel Micay
parent
f3ae87143f
commit
3d0e2ffb23
11 changed files with 74 additions and 22 deletions
|
|
@ -3,6 +3,14 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
}
|
||||
|
||||
set ip-connlimit-ssh {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
|
|
@ -77,8 +85,8 @@ table inet filter {
|
|||
# add connections established without synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
@ -87,8 +95,8 @@ table inet filter {
|
|||
# add connections established with synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
|
|||
|
|
@ -3,6 +3,14 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
}
|
||||
|
||||
set ip-connlimit-ssh {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
|
|
@ -80,8 +88,8 @@ table inet filter {
|
|||
# add connections established without synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
@ -90,8 +98,8 @@ table inet filter {
|
|||
# add connections established with synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
|
|||
|
|
@ -3,6 +3,14 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
}
|
||||
|
||||
define ip-allowlist-main = {
|
||||
51.79.66.27, # attestation.app
|
||||
51.79.52.38, # discuss.grapheneos.org
|
||||
|
|
@ -89,8 +97,8 @@ table inet filter {
|
|||
# add connections established without synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
@ -99,8 +107,8 @@ table inet filter {
|
|||
# add connections established with synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
|
|||
|
|
@ -3,6 +3,14 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
}
|
||||
|
||||
set ip-connlimit-ssh {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
|
|
@ -77,8 +85,8 @@ table inet filter {
|
|||
# add connections established without synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
@ -87,8 +95,8 @@ table inet filter {
|
|||
# add connections established with synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
|
|||
|
|
@ -4,10 +4,12 @@ flush ruleset
|
|||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
51.222.159.116, # 0.grapheneos.network
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
2607:5300:205:200::2584, # 0.grapheneos.network
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,10 +7,12 @@ table inet filter {
|
|||
define ip6-anycast = 2a05:b0c4:1::8
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
51.161.34.158, # 0.ns1.grapheneos.org
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
2607:5300:205:200::eaa, # 0.ns1.grapheneos.org
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,10 +6,12 @@ table inet filter {
|
|||
define ip-anycast = 198.251.90.93
|
||||
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
198.98.53.141, # 0.ns2.grapheneos.org
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,14 @@
|
|||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
}
|
||||
|
||||
set ip-connlimit-ssh {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
|
|
@ -77,8 +85,8 @@ table inet filter {
|
|||
# add connections established without synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-established {
|
||||
ct mark 0x1 accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
@ -87,8 +95,8 @@ table inet filter {
|
|||
# add connections established with synproxy to connection limit sets with limits enforced
|
||||
chain input-tcp-service-loopback {
|
||||
tcp flags != syn accept
|
||||
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
ct mark set 0x1 accept
|
||||
|
|
|
|||
|
|
@ -4,11 +4,13 @@ flush ruleset
|
|||
|
||||
table inet filter {
|
||||
define ip-allowlist-ssh = {
|
||||
{{ssh_ipv4}},
|
||||
51.222.156.101, # 0.grapheneos.org
|
||||
45.90.185.33, # 0.releases.grapheneos.org
|
||||
}
|
||||
|
||||
define ip6-allowlist-ssh = {
|
||||
{{ssh_ipv6}},
|
||||
2607:5300:205:200::29c6, # 0.grapheneos.org
|
||||
2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue