add iptable rules, update ssh config

72389013 · Michael Loipführer · e8f617ce · 72389013 · 72389013 · 72389013
Commit 72389013 authored 5 years ago by Michael Loipführer
--- a/container/iptables.v4
+++ b/container/iptables.v4
+# iptable v4 rules for lustmolch container {{name}}
+*filter
+
+-A INPUT -p tcp -m tcp --dport {{ssh_port}} 10.150.0.0/17 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport {{ssh_port}} 141.84.69.0/24 -j ACCEPT
+
+COMMIT
+
--- a/container/iptables.v6
+++ b/container/iptables.v6
+# iptable v6 rules for lustmolch container {{name}}
+
+*filter
+
+-A INPUT -p tcp -m tcp --dport {{ssh_port}} 2001:4ca0:200::/48 -j ACCEPT
+
+COMMIT
--- a/container/sshd_config
+++ b/container/sshd_config
@@ -29,8 +29,8 @@ Port {{ssh_port}}
 # Authentication:

 #LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
+PermitRootLogin without-password
+StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

@@ -53,7 +53,7 @@ PubkeyAuthentication yes
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with

--- a/lustmolch.py
+++ b/lustmolch.py
@@ -13,7 +13,9 @@ cfg_template = namedtuple('cfg_template', ['source', 'path', 'filename'])

 template_files_host = [
    cfg_template('nginx', Path('/etc/nginx/sites-available'), '{name}'),
-    cfg_template('nspawn', Path('/etc/systemd/nspawn'), '{name}.nspawn')
+    cfg_template('nspawn', Path('/etc/systemd/nspawn'), '{name}.nspawn'),
+    cfg_template('iptables.v4', Path('/etc/iptables'), '{50-container-{name}.v4'),
+    cfg_template('iptables.v6', Path('/etc/iptables'), '{50-container-{name}.v6')
 ]
 template_files_container = [
    cfg_template('sshd_config', Path('/etc/ssh'), 'sshd_config')