From a6d1e00d07ee36979c2fa707cedc2f5ad7e9e92c Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sat, 3 May 2025 23:19:02 -0400
Subject: [PATCH] drop SSH connections to new anycast IPs

---
 etc/nftables/nftables-ns1.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index 78a7aa0..a2fff1d 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -3,6 +3,9 @@
 flush ruleset
 
 table inet filter {
+    define ip-anycast = 185.187.152.9
+    define ip6-anycast = 2a05:b0c4:1::8
+
     define ip-allowlist-ssh = {
         51.161.34.158, # 0.ns1.grapheneos.org
     }
@@ -47,6 +50,9 @@ table inet filter {
 
         udp dport 53 notrack accept
 
+        tcp dport 22 ip daddr $ip-anycast drop
+        tcp dport 22 ip6 daddr $ip6-anycast drop
+
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept