2

I use Puppet Iptables module to manage Iptables rules on my machine. I'd like to implement to rate limit failed SSH connections as described here:

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -j ACCEPT

Is it possible to translate it to Puppet syntax, such as

firewall { '015 drop 5 failed attemps to connect to SSH in a minute ':
   proto   => 'tcp',
   port    => 22,
   action  => 'drop',
   // what are the other paramters ?
}
Community
  • 1
geoffroy
  • 131
  • 2

1 Answers1

1

The puppetlabs-firewall module tries hard to support all iptabels arguements. The recent specific arguements are prefixed with a single r, e.g. rseconds instead of --seconds.

Try

firewall { '015 drop 5 failed attemps to connect to SSH in a minute ':
    proto   => 'tcp',
    port    => 22,
    action  => 'drop',
    recent  => 'update',
    rseconds  => '60',
    rhitcount => '5',
    rname     => 'SSH',
    rsource   => true,
}
Felix Frank
  • 3,063
  • 1
  • 15
  • 22
  • Thanks a lot ! The syntax works but it seems it's not dropping five failed SSH connections. I put it in my pre.pp firewall file, I tried before and after the rule that accepts tcp on port 22. Am I missing something ? – geoffroy Aug 21 '14 at 05:32
  • Well, if your rules won't do what you expect, you should ask that as a new question. If the manifest works for you, then you can probably close this one. – Felix Frank Aug 21 '14 at 08:41