Need help translating rate limiting iptables rules to Puppet format

Posted by geoffroy on Server Fault See other posts from Server Fault or by geoffroy
Published on 2014-08-19T16:07:30Z Indexed on 2014/08/19 16:21 UTC
Read the original article Hit count: 187

Filed under:

iptables

|

puppet

I use Puppet Iptables module to manage Iptables rules on my machine. I'd like to implement to rate limit failed SSH connections as described here : Hundreds of failed ssh logins

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -j ACCEPT

Is it possible to translate it to Puppet syntax, such as

firewall { '015 drop 5 failed attemps to connect to SSH in a minute ':
   proto   => 'tcp',
   port    => 22,
   action  => 'drop',
   // what are the other paramters ?
}

Any help welcome.

Best regards

Geoffroy

© Server Fault or respective owner

Related posts about iptables

Sometimes this script fails to update the iptables

as seen on Server Fault - Search for 'Server Fault'
It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error. The iptables is structured as look-up tree (long repeated sections snipped): #!/bin/sh iptables -t… >>> More
My current iptable configuration doesn't work [on hold]

as seen on Server Fault - Search for 'Server Fault'
sudo chkconfig iptables off /etc/init.d/iptables on ### Clear/flush iptables sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT ### Allow SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables… >>> More
L2TP iptables port forward

as seen on Server Fault - Search for 'Server Fault'
Hi all, I'm setting up port forwarding for an L2TP VPN connection to the local Windows 2003 VPN server. The router is a simpel Debian machine with iptables. The VPN server works perfect. But I cannot log in from the WAN. I'm missing something. The VPN server is using a pre-shared key (L2TP) and… >>> More
iptables -P FORWARD DROP makes port forwarding slow

as seen on Server Fault - Search for 'Server Fault'
I have three computers, linked like this: box1 (ubuntu) box2 router & gateway (debian) box3 (opensuse) [10.0.1.1] ---- [10.0.1.18,10.0.2.18,10.0.3.18] ---- [10.0.3.15] | box4, www [10.0.2.1] Among other… >>> More
IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

as seen on Server Fault - Search for 'Server Fault'
I was thinking initially needing to do a reverse proxy or something so I could get some SSL/TLS traffic look like it is being terminated at a server and IP address in the AWS cloud, and then that traffic is forwarded onto our actual web servers that aren't in the cloud... I've not done much iptables… >>> More

Related posts about puppet

migrating puppet clients to a new puppet master (old puppet master server gone, only using backup)

as seen on Server Fault - Search for 'Server Fault'
My puppet master server had a hardware failure, and I have restored to another box. However this box has different hardware and hostname. If I restore the existing /etc/puppet directory to the new server, the puppetmaster will not start with the following error; # puppetmasterd --debug --verbose Could… >>> More
puppet rspec no such file to load -- rspec-puppet (LoadError)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have no prior experience at all of ruby. I am not interested in ruby (and so have no knowledge of rails etc) as such but am using puppet to manage a group of servers. I have written some modules and the rspec-puppet system looks like it would be very useful. However, I cannot get rspec-puppet… >>> More
Puppet: Making Windows Awesome Since 2011

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Originally posted on: http://geekswithblogs.net/robz/archive/2014/08/07/puppet-making-windows-awesome-since-2011.aspxPuppet was one of the first configuration management (CM) tools to support Windows, way back in 2011. It has the heaviest investment on Windows infrastructure with 1/3 of the platform… >>> More
What causes this logrotate behavior in Puppet?

as seen on Server Fault - Search for 'Server Fault'
After running logrotate, Puppet starts writing it's logs into /var/log/puppet/masterhttp.log-20130616. How come it doesn't keep logging in /var/log/puppet/masterhttp.log? It seems normal behavior is renaming the original log-file and start with a clean fresh log-file to start writing in that log… >>> More
solved: puppet master REST API returns 403 when running under passenger works when master runs from command line

as seen on Server Fault - Search for 'Server Fault'
I am using the standard auth.conf provided in puppet install for the puppet master which is running through passenger under Nginx. However for most of the catalog, files and certitifcate request I get a 403 response. ### Authenticated paths - these apply only when the client ### has a valid certificate… >>> More