mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-09-27 19:15:43 +00:00
c1756f5809
This makes it easier to maintain and deploy more aggressive DDoS mitigation when our main HTTPS services are under attack. Network servers use HTTP for connectivity checks which do not use keepalive and should also be a good use case for
118 lines
3.9 KiB
Plaintext
118 lines
3.9 KiB
Plaintext
#!/usr/bin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
define ip-allowlist-ssh = {
|
|
127.0.0.1,
|
|
}
|
|
|
|
define ip6-allowlist-ssh = {
|
|
::1,
|
|
}
|
|
|
|
set ip-connlimit-ssh {
|
|
type ipv4_addr
|
|
flags dynamic
|
|
}
|
|
|
|
set ip6-connlimit-ssh {
|
|
type ipv6_addr
|
|
flags dynamic
|
|
}
|
|
|
|
set ip-connlimit-http {
|
|
type ipv4_addr
|
|
flags dynamic
|
|
}
|
|
|
|
set ip6-connlimit-http {
|
|
type ipv6_addr
|
|
flags dynamic
|
|
}
|
|
|
|
chain prerouting-raw {
|
|
type filter hook prerouting priority raw
|
|
|
|
# drop packets without a reverse path (strict reverse path filtering)
|
|
fib saddr . iif oif missing counter drop
|
|
|
|
iif lo notrack accept
|
|
|
|
# drop packets to address not configured on incoming interface (strong host model)
|
|
fib daddr . iif type != { local, broadcast, multicast } counter drop
|
|
|
|
tcp dport 443 notrack accept
|
|
tcp dport { 22, 80 } tcp flags syn notrack accept
|
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
}
|
|
|
|
chain output-raw {
|
|
type filter hook output priority raw
|
|
|
|
oif lo notrack accept
|
|
tcp sport 443 notrack accept
|
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter
|
|
policy drop
|
|
|
|
iif lo goto input-loopback
|
|
tcp dport 443 accept
|
|
meta l4proto { icmp, ipv6-icmp } accept
|
|
ct state vmap { established : accept, related : accept, new : goto graceful-reject }
|
|
|
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
|
tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
|
|
tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
|
|
tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
|
|
}
|
|
|
|
chain input-loopback {
|
|
tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
|
|
tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
|
|
tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
|
|
tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
|
|
accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter
|
|
policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter
|
|
|
|
oif lo goto output-loopback
|
|
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
|
|
}
|
|
|
|
chain output-loopback {
|
|
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept
|
|
skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept
|
|
|
|
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept
|
|
|
|
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
|
|
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
|
|
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
|
|
|
|
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
|
|
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
|
|
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
|
|
|
|
skuid != root counter goto graceful-reject
|
|
accept
|
|
}
|
|
|
|
chain graceful-reject {
|
|
meta l4proto udp reject
|
|
meta l4proto tcp reject with tcp reset
|
|
reject
|
|
}
|
|
}
|