From 8caa777e113b63ecc43bbc6cc606b634f352a864 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Mon, 15 Apr 2024 23:20:05 -0400
Subject: [PATCH] add connection limit allowlist for mail server

---
 nftables/nftables-mail.conf | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf
index c6b5f04..6e1db6d 100644
--- a/nftables/nftables-mail.conf
+++ b/nftables/nftables-mail.conf
@@ -3,6 +3,18 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-main = {
+        51.79.66.27, # attestation.app
+        51.79.52.38, # discuss.grapheneos.org
+        51.79.51.42, # matrix.grapheneos.org
+    }
+
+    define ip6-allowlist-main = {
+        2607:5300:205:200::7e9, # attestation.app
+        2607:5300:205:200::3c4, # discuss.grapheneos.org
+        2607:5300:205:200::26e1, # matrix.grapheneos.org
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -78,8 +90,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -88,8 +100,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }