Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: reorder rule for rejecting SSH via anycast

Browse Source
This commit is contained in:
Daniel Micay 2024-04-15 23:54:17 -04:00
parent 8caa777e11
commit 7782c861cb
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nftables/nftables-ns2.conf
View File

@ -44,11 +44,11 @@ table inet filter {
# ordered after accepting loopback to permit using external IPs via loopback # ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport 53 notrack accept
# reject SSH packets via anycast IP # reject SSH packets via anycast IP
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
udp dport 53 notrack accept
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept