graphene-os-server-infrastructure/nftables-matrix.conf

#!/usr/bin/nft -f

flush ruleset

table inet filter {
    define ip-allowlist-ssh = {
        127.0.0.1,
    }

    define ip6-allowlist-ssh = {
        ::1,
    }

    set ip-connlimit-ssh {
        type ipv4_addr
        flags dynamic
    }

    set ip6-connlimit-ssh {
        type ipv6_addr
        flags dynamic
    }

    set ip-connlimit-http {
        type ipv4_addr
        flags dynamic
    }

    set ip6-connlimit-http {
        type ipv6_addr
        flags dynamic
    }

    chain prerouting-raw {
        type filter hook prerouting priority raw

        # drop packets without a reverse path (strict reverse path filtering)
        fib saddr . iif oif missing counter drop

        iif lo notrack accept

        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        tcp dport 443 notrack accept
        tcp dport { 22, 80 } tcp flags syn notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }

    chain output-raw {
        type filter hook output priority raw

        oif lo notrack accept
        tcp sport 443 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }

    chain input {
        type filter hook input priority filter
        policy drop

        iif lo goto input-loopback
        tcp dport 443 accept
        meta l4proto { icmp, ipv6-icmp } accept
        ct state vmap { established : accept, related : accept, new : goto graceful-reject }

        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
        tcp dport 80 ip saddr @ip-connlimit-http counter reject with tcp reset
        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-http counter reject with tcp reset
        tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
    }

    chain input-loopback {
        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
        tcp dport 80 tcp flags syn add @ip-connlimit-http { ip saddr ct count over 32 } counter reject with tcp reset
        tcp dport 80 tcp flags syn add @ip6-connlimit-http { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
        accept
    }

    chain forward {
        type filter hook forward priority filter
        policy drop
    }

    chain output {
        type filter hook output priority filter

        oif lo goto output-loopback
        skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
    }

    chain output-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept
        skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept

        skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept

        skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
        skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
        skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept

        skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
        skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
        skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept

        skuid != root counter goto graceful-reject
        accept
    }

    chain graceful-reject {
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
        reject
    }
}