mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-10-01 04:55:42 +00:00
9fcac6b105
Our DNS servers only have HTTP(S) for obtaining certificates via ACME with accounturi pinning along with redirecting people who visit the domain in a browser to our server documentation. We also only permit 1 request for each HTTP(S) connection for these services so connections are very short lived. We'll need to do this in a less aggressive way for our web sites and our services used to transfer significant amounts of data such as the update servers since not all clients have TCP timestamps and will lose SACK and window scaling with the current Linux SYN cookie design despite it being possible to avoid that as FreeBSD does.
114 lines
3.7 KiB
Plaintext
114 lines
3.7 KiB
Plaintext
#!/usr/bin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
define ip-allowlist-ssh = {
|
|
127.0.0.1,
|
|
}
|
|
|
|
define ip6-allowlist-ssh = {
|
|
::1,
|
|
}
|
|
|
|
set ip-connlimit-ssh {
|
|
type ipv4_addr
|
|
flags dynamic
|
|
}
|
|
|
|
set ip6-connlimit-ssh {
|
|
type ipv6_addr
|
|
flags dynamic
|
|
}
|
|
|
|
set ip-connlimit-main {
|
|
type ipv4_addr
|
|
flags dynamic
|
|
}
|
|
|
|
set ip6-connlimit-main {
|
|
type ipv6_addr
|
|
flags dynamic
|
|
}
|
|
|
|
chain prerouting-raw {
|
|
type filter hook prerouting priority raw
|
|
|
|
# drop packets without a reverse path (strict reverse path filtering)
|
|
fib saddr . iif oif missing counter drop
|
|
|
|
iif lo notrack accept
|
|
|
|
# drop packets to address not configured on incoming interface (strong host model)
|
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
|
|
|
udp dport 53 notrack accept
|
|
tcp dport { 22, 53, 80, 443, 853 } tcp flags syn notrack accept
|
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
}
|
|
|
|
chain output-raw {
|
|
type filter hook output priority raw
|
|
|
|
oif lo notrack accept
|
|
udp sport 53 notrack accept
|
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter
|
|
policy drop
|
|
|
|
iif lo goto input-loopback
|
|
udp dport 53 accept
|
|
meta l4proto { icmp, ipv6-icmp } accept
|
|
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
|
|
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
|
tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
|
|
tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
|
|
tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
|
|
tcp dport { 53, 80, 443, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
|
}
|
|
|
|
chain input-loopback {
|
|
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
|
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
|
tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
|
|
tcp dport { 53, 80, 443, 853 } tcp flags syn add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
|
|
accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter
|
|
policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter
|
|
|
|
oif lo goto output-loopback
|
|
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
|
}
|
|
|
|
chain output-loopback {
|
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
|
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
|
|
|
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
|
|
skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept
|
|
|
|
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
|
|
|
skuid != root counter goto graceful-reject
|
|
accept
|
|
}
|
|
|
|
chain graceful-reject {
|
|
meta l4proto udp reject
|
|
meta l4proto tcp reject with tcp reset
|
|
reject
|
|
}
|
|
}
|