Commit 45fd6175 authored by Leigh Stoller's avatar Leigh Stoller

Change to dom0 basic rules; allow ssh in, but rate limit it to no more

then 10 connections from the same source in the last 100 seconds. Note
this is just to the physical host itself, it does not affect traffic
to the containers.
parent 8b32419e
......@@ -124,9 +124,17 @@ iptables -A OUTPUT -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# In BASIC, we allow ssh from anywhere on port 22.
# In BASIC, we allow ssh from anywhere on port 22, but we rate limit it.
#
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
iptables -A INPUT -p tcp --syn --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH # BASIC
iptables -A INPUT -p tcp --syn --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 100 --hitcount 10 --rttl --name SSH -j DROP # BASIC
iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
#
# Allow outgoing http so we can update packages.
#
iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
#
# GRE tunnels.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment