From 7238901395355447eb2c50b91259ed26f5a8d793 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Loif=C3=BChrer?= <michael.loipfuehrer@tum.de>
Date: Thu, 6 Jun 2019 18:29:34 +0200
Subject: [PATCH] add iptable rules, update ssh config

---
 container/iptables.v4 | 8 ++++++++
 container/iptables.v6 | 7 +++++++
 container/sshd_config | 6 +++---
 lustmolch.py          | 4 +++-
 4 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 container/iptables.v4
 create mode 100644 container/iptables.v6

diff --git a/container/iptables.v4 b/container/iptables.v4
new file mode 100644
index 0000000..e488b8e
--- /dev/null
+++ b/container/iptables.v4
@@ -0,0 +1,8 @@
+# iptable v4 rules for lustmolch container {{name}}
+*filter
+
+-A INPUT -p tcp -m tcp --dport {{ssh_port}} 10.150.0.0/17 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport {{ssh_port}} 141.84.69.0/24 -j ACCEPT
+
+COMMIT
+
diff --git a/container/iptables.v6 b/container/iptables.v6
new file mode 100644
index 0000000..987e03e
--- /dev/null
+++ b/container/iptables.v6
@@ -0,0 +1,7 @@
+# iptable v6 rules for lustmolch container {{name}}
+
+*filter
+
+-A INPUT -p tcp -m tcp --dport {{ssh_port}} 2001:4ca0:200::/48 -j ACCEPT
+
+COMMIT
diff --git a/container/sshd_config b/container/sshd_config
index 6c252b8..1c12459 100644
--- a/container/sshd_config
+++ b/container/sshd_config
@@ -29,8 +29,8 @@ Port {{ssh_port}}
 # Authentication:
 
 #LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
+PermitRootLogin without-password
+StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 
@@ -53,7 +53,7 @@ PubkeyAuthentication yes
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
diff --git a/lustmolch.py b/lustmolch.py
index 78aa0c3..83c9282 100755
--- a/lustmolch.py
+++ b/lustmolch.py
@@ -13,7 +13,9 @@ cfg_template = namedtuple('cfg_template', ['source', 'path', 'filename'])
 
 template_files_host = [
     cfg_template('nginx', Path('/etc/nginx/sites-available'), '{name}'),
-    cfg_template('nspawn', Path('/etc/systemd/nspawn'), '{name}.nspawn')
+    cfg_template('nspawn', Path('/etc/systemd/nspawn'), '{name}.nspawn'),
+    cfg_template('iptables.v4', Path('/etc/iptables'), '{50-container-{name}.v4'),
+    cfg_template('iptables.v6', Path('/etc/iptables'), '{50-container-{name}.v6')
 ]
 template_files_container = [
     cfg_template('sshd_config', Path('/etc/ssh'), 'sshd_config')
-- 
GitLab