diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index 78a7aa0..a2fff1d 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -3,6 +3,9 @@
 flush ruleset
 
 table inet filter {
+    define ip-anycast = 185.187.152.9
+    define ip6-anycast = 2a05:b0c4:1::8
+
     define ip-allowlist-ssh = {
         51.161.34.158, # 0.ns1.grapheneos.org
     }
@@ -47,6 +50,9 @@ table inet filter {
 
         udp dport 53 notrack accept
 
+        tcp dport 22 ip daddr $ip-anycast drop
+        tcp dport 22 ip6 daddr $ip6-anycast drop
+
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept