Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

add synproxy/connlimit for ACME/redirect use of HTTP

Browse Source 
This makes it easier to maintain and deploy more aggressive DDoS
mitigation when our main HTTPS services are under attack.

Network servers use HTTP for connectivity checks which do not use
keepalive and should also be a good use case for
This commit is contained in:
Daniel Micay 2024-04-03 13:13:52 -04:00
parent 3e23b80e9c
commit c1756f5809
5 changed files with 95 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nftables-attestation.conf
View File

@ -21,6 +21,16 @@ table inet filter {
flags dynamic flags dynamic
} }
set ip-connlimit-http {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
type ipv6_addr
flags dynamic
}
chain prerouting-raw { chain prerouting-raw {
type filter hook prerouting priority raw type filter hook prerouting priority raw
@ -32,8 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 80, 443 } notrack accept tcp dport 443 notrack accept
tcp dport 22 tcp flags syn notrack accept tcp dport { 22, 80 } tcp flags syn notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -41,7 +51,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 80, 443 } notrack accept tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -50,18 +60,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 80, 443 } accept tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject } ct state vmap { established : accept, related : accept, new : goto graceful-reject }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-loopback { chain input-loopback {
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept accept
} }

24
nftables-discuss.conf
View File

@ -21,6 +21,16 @@ table inet filter {
flags dynamic flags dynamic
} }
set ip-connlimit-http {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
type ipv6_addr
flags dynamic
}
chain prerouting-raw { chain prerouting-raw {
type filter hook prerouting priority raw type filter hook prerouting priority raw
@ -35,8 +45,8 @@ table inet filter {
# IPv6 interacts badly with IP-based spam filtering # IPv6 interacts badly with IP-based spam filtering
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
tcp dport { 80, 443 } notrack accept tcp dport 443 notrack accept
tcp dport 22 tcp flags syn notrack accept tcp dport { 22, 80 } tcp flags syn notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -44,7 +54,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 80, 443 } notrack accept tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -53,18 +63,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 80, 443 } accept tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject } ct state vmap { established : accept, related : accept, new : goto graceful-reject }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-loopback { chain input-loopback {
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept accept
} }

24
nftables-matrix.conf
View File

@ -21,6 +21,16 @@ table inet filter {
flags dynamic flags dynamic
} }
set ip-connlimit-http {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
type ipv6_addr
flags dynamic
}
chain prerouting-raw { chain prerouting-raw {
type filter hook prerouting priority raw type filter hook prerouting priority raw
@ -32,8 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 80, 443 } notrack accept tcp dport 443 notrack accept
tcp dport 22 tcp flags syn notrack accept tcp dport { 22, 80 } tcp flags syn notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -41,7 +51,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 80, 443 } notrack accept tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -50,18 +60,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 80, 443 } accept tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject } ct state vmap { established : accept, related : accept, new : goto graceful-reject }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-loopback { chain input-loopback {
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept accept
} }

24
nftables-social.conf
View File

@ -21,6 +21,16 @@ table inet filter {
flags dynamic flags dynamic
} }
set ip-connlimit-http {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
type ipv6_addr
flags dynamic
}
chain prerouting-raw { chain prerouting-raw {
type filter hook prerouting priority raw type filter hook prerouting priority raw
@ -32,8 +42,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 80, 443 } notrack accept tcp dport 443 notrack accept
tcp dport 22 tcp flags syn notrack accept tcp dport { 22, 80 } tcp flags syn notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -41,7 +51,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 80, 443 } notrack accept tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -50,18 +60,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 80, 443 } accept tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject } ct state vmap { established : accept, related : accept, new : goto graceful-reject }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-loopback { chain input-loopback {
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept accept
} }

24
nftables-web.conf
View File

@ -25,6 +25,16 @@ table inet filter {
flags dynamic flags dynamic
} }
set ip-connlimit-http {
type ipv4_addr
flags dynamic
}
set ip6-connlimit-http {
type ipv6_addr
flags dynamic
}
chain prerouting-raw { chain prerouting-raw {
type filter hook prerouting priority raw type filter hook prerouting priority raw
@ -36,8 +46,8 @@ table inet filter {
# drop packets to address not configured on incoming interface (strong host model) # drop packets to address not configured on incoming interface (strong host model)
fib daddr . iif type != { local, broadcast, multicast } counter drop fib daddr . iif type != { local, broadcast, multicast } counter drop
tcp dport { 80, 443 } notrack accept tcp dport 443 notrack accept
tcp dport 22 tcp flags syn notrack accept tcp dport { 22, 80 } tcp flags syn notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -45,7 +55,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo notrack accept oif lo notrack accept
tcp sport { 80, 443 } notrack accept tcp sport 443 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -54,18 +64,22 @@ table inet filter {
policy drop policy drop
iif lo goto input-loopback iif lo goto input-loopback
tcp dport { 80, 443 } accept tcp dport 443 accept
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { established : accept, related : accept, new : goto graceful-reject } ct state vmap { established : accept, related : accept, new : goto graceful-reject }
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
} }
chain input-loopback { chain input-loopback {
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
accept accept
} }