Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-07-22 06:28:57 -04:00
Code Issues Projects Releases Packages Wiki Activity

drop SSH connections to new anycast IPs

Browse source
This commit is contained in:
Daniel Micay 2025-05-03 23:19:02 -04:00
parent 029882f051
commit a6d1e00d07
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
etc/nftables/nftables-ns1.conf
View file

@ -3,6 +3,9 @@
flush ruleset
table inet filter {
define ip-anycast = 185.187.152.9
define ip6-anycast = 2a05:b0c4:1::8
define ip-allowlist-ssh = {
51.161.34.158, # 0.ns1.grapheneos.org
}
@ -47,6 +50,9 @@ table inet filter {
udp dport 53 notrack accept
tcp dport 22 ip daddr $ip-anycast drop
tcp dport 22 ip6 daddr $ip6-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept