expand SSH connection limit allowlist

.gitignore

@@ -7,6 +7,7 @@
 /authorized_keys-staging-attestation
 /passwords/
 /modules/
+/ssh.sh
 /sysctl/
 /tmp
 /units/

deploy-initial

@@ -4,6 +4,7 @@ set -o errexit -o nounset -o pipefail
 shopt -s expand_aliases
 
 . hosts.sh
+. ssh.sh
 
 [[ $# -eq 1 ]] || exit 1
 
@@ -59,8 +60,10 @@ sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp
 rsync tmp $remote:/mnt/etc/ssh/sshd_config
 rm tmp
 
-synproxy_threshold=$(( ${hosts_conntrack_size[$host]} / 64 ))
-sed "s/{{synproxy_threshold}}/$synproxy_threshold/g" etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf >tmp
+cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
+sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]} / 64 ))/g" tmp
+sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp
+sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp
 rsync tmp $remote:/mnt/etc/nftables.conf
 rm tmp
 

etc/nftables/nftables-attestation.conf

@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -77,8 +85,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -87,8 +95,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept

etc/nftables/nftables-discuss.conf

@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -80,8 +88,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -90,8 +98,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept

etc/nftables/nftables-mail.conf

@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     define ip-allowlist-main = {
         51.79.66.27, # attestation.app
         51.79.52.38, # discuss.grapheneos.org
@@ -89,8 +97,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -99,8 +107,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept

etc/nftables/nftables-matrix.conf

@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -77,8 +85,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -87,8 +95,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept

etc/nftables/nftables-network.conf

@@ -4,10 +4,12 @@ flush ruleset
 
 table inet filter {
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         51.222.159.116, # 0.grapheneos.network
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2607:5300:205:200::2584, # 0.grapheneos.network
     }
 

etc/nftables/nftables-ns1.conf

@@ -7,10 +7,12 @@ table inet filter {
     define ip6-anycast = 2a05:b0c4:1::8
 
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         51.161.34.158, # 0.ns1.grapheneos.org
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2607:5300:205:200::eaa, # 0.ns1.grapheneos.org
     }
 

etc/nftables/nftables-ns2.conf

@@ -6,10 +6,12 @@ table inet filter {
     define ip-anycast = 198.251.90.93
 
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         198.98.53.141, # 0.ns2.grapheneos.org
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
     }
 

etc/nftables/nftables-social.conf

@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
+    }
+
+    define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -77,8 +85,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -87,8 +95,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept

etc/nftables/nftables-web.conf

@@ -4,11 +4,13 @@ flush ruleset
 
 table inet filter {
     define ip-allowlist-ssh = {
+        {{ssh_ipv4}},
         51.222.156.101, # 0.grapheneos.org
         45.90.185.33, # 0.releases.grapheneos.org
     }
 
     define ip6-allowlist-ssh = {
+        {{ssh_ipv6}},
         2607:5300:205:200::29c6, # 0.grapheneos.org
         2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
     }