Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nftables: add define for ns2.grapheneos.org anycast IP

This commit is contained in:
Daniel Micay 2024-04-18 10:40:29 -04:00
parent 741ea728ea
commit b17b2f3fd3
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nftables/nftables-ns2.conf
View File

@ -3,6 +3,8 @@
flush ruleset
table inet filter {
define ip-anycast = 198.251.90.93
define ip-allowlist-ssh = {
198.98.53.141, # 0.ns2.grapheneos.org
}
@ -46,8 +48,7 @@ table inet filter {
udp dport 53 notrack accept
# reject SSH packets via anycast IP
tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
tcp dport 22 ip daddr $ip-anycast reject with tcp reset
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept