mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-18 09:47:07 -05:00
add synproxy/connlimit for ACME/redirect use of HTTP
This makes it easier to maintain and deploy more aggressive DDoS mitigation when our main HTTPS services are under attack. Network servers use HTTP for connectivity checks which do not use keepalive and should also be a good use case for
This commit is contained in:
parent
3e23b80e9c
commit
c1756f5809
@ -21,6 +21,16 @@ table inet filter {
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip-connlimit-http {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip6-connlimit-http {
|
||||
type ipv6_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
chain prerouting-raw {
|
||||
type filter hook prerouting priority raw
|
||||
|
||||
@ -32,8 +42,8 @@ table inet filter {
|
||||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport { 80, 443 } notrack accept
|
||||
tcp dport 22 tcp flags syn notrack accept
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -41,7 +51,7 @@ table inet filter {
|
||||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 80, 443 } notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -50,18 +60,22 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 80, 443 } accept
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
@ -21,6 +21,16 @@ table inet filter {
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip-connlimit-http {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip6-connlimit-http {
|
||||
type ipv6_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
chain prerouting-raw {
|
||||
type filter hook prerouting priority raw
|
||||
|
||||
@ -35,8 +45,8 @@ table inet filter {
|
||||
# IPv6 interacts badly with IP-based spam filtering
|
||||
meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
|
||||
|
||||
tcp dport { 80, 443 } notrack accept
|
||||
tcp dport 22 tcp flags syn notrack accept
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -44,7 +54,7 @@ table inet filter {
|
||||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 80, 443 } notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -53,18 +63,22 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 80, 443 } accept
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
@ -21,6 +21,16 @@ table inet filter {
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip-connlimit-http {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip6-connlimit-http {
|
||||
type ipv6_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
chain prerouting-raw {
|
||||
type filter hook prerouting priority raw
|
||||
|
||||
@ -32,8 +42,8 @@ table inet filter {
|
||||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport { 80, 443 } notrack accept
|
||||
tcp dport 22 tcp flags syn notrack accept
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -41,7 +51,7 @@ table inet filter {
|
||||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 80, 443 } notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -50,18 +60,22 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 80, 443 } accept
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
@ -21,6 +21,16 @@ table inet filter {
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip-connlimit-http {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip6-connlimit-http {
|
||||
type ipv6_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
chain prerouting-raw {
|
||||
type filter hook prerouting priority raw
|
||||
|
||||
@ -32,8 +42,8 @@ table inet filter {
|
||||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport { 80, 443 } notrack accept
|
||||
tcp dport 22 tcp flags syn notrack accept
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -41,7 +51,7 @@ table inet filter {
|
||||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 80, 443 } notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -50,18 +60,22 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 80, 443 } accept
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
@ -25,6 +25,16 @@ table inet filter {
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip-connlimit-http {
|
||||
type ipv4_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
set ip6-connlimit-http {
|
||||
type ipv6_addr
|
||||
flags dynamic
|
||||
}
|
||||
|
||||
chain prerouting-raw {
|
||||
type filter hook prerouting priority raw
|
||||
|
||||
@ -36,8 +46,8 @@ table inet filter {
|
||||
# drop packets to address not configured on incoming interface (strong host model)
|
||||
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
||||
|
||||
tcp dport { 80, 443 } notrack accept
|
||||
tcp dport 22 tcp flags syn notrack accept
|
||||
tcp dport 443 notrack accept
|
||||
tcp dport { 22, 80 } tcp flags syn notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -45,7 +55,7 @@ table inet filter {
|
||||
type filter hook output priority raw
|
||||
|
||||
oif lo notrack accept
|
||||
tcp sport { 80, 443 } notrack accept
|
||||
tcp sport 443 notrack accept
|
||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||
}
|
||||
|
||||
@ -54,18 +64,22 @@ table inet filter {
|
||||
policy drop
|
||||
|
||||
iif lo goto input-loopback
|
||||
tcp dport { 80, 443 } accept
|
||||
tcp dport 443 accept
|
||||
meta l4proto { icmp, ipv6-icmp } accept
|
||||
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
||||
|
||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
|
||||
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
|
||||
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
||||
}
|
||||
|
||||
chain input-loopback {
|
||||
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
|
||||
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
||||
accept
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user