mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-04-23 05:33:25 +02:00
20 lines
1.1 KiB
YAML
20 lines
1.1 KiB
YAML
---
|
|
|
|
- name: Apply rate limits
|
|
iptables_raw:
|
|
name: sshd_limit
|
|
rules: |
|
|
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
|
|
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
|
|
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
|
|
state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
|
|
weight: 10
|
|
tags: ssh,firewall
|
|
|
|
- name: Handle ssh ports
|
|
iptables_raw:
|
|
name: sshd_ports
|
|
state: "{{ (sshd_src_ip is defined and sshd_src_ip | length > 0) | ternary('present','absent') }}"
|
|
rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ sshd_ports | join(',') }} -s {{ sshd_src_ip | flatten | join(',') }} -j ACCEPT"
|
|
tags: ssh,firewall
|