From e23c2114f4fc44bb3ab45ac1618f822fbf9e2da0 Mon Sep 17 00:00:00 2001
From: moeny-matt <matt@moeny.ai>
Date: Wed, 19 Feb 2025 16:46:37 -0500
Subject: [PATCH] add ssh iptables rules

---
 bolt_vm_automation/tasks/system_setup.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/bolt_vm_automation/tasks/system_setup.sh b/bolt_vm_automation/tasks/system_setup.sh
index 9aced57..764a011 100644
--- a/bolt_vm_automation/tasks/system_setup.sh
+++ b/bolt_vm_automation/tasks/system_setup.sh
@@ -15,6 +15,16 @@ if [ -z "$IP" ] || [ -z "$HOSTNAME" ] || [ -z "$DHCP" ] || [ -z "$GATEWAY" ] ||
     exit 1
 fi
 
+# Configure and install iptables-persistent
+sudo DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent
+
+# Restrict SSH access
+sudo iptables -A INPUT -p tcp --dport 22 -s 100.40.223.128/26 -j ACCEPT
+sudo iptables -A INPUT -p tcp --dport 22 -s 173.62.109.73/32 -j ACCEPT
+sudo iptables -A INPUT -p tcp --dport 22 -j DROP
+# Use netfilter-persistent to save rules instead of direct file writing
+sudo netfilter-persistent save
+
 # Create the new netplan configuration
 sudo tee /etc/cloud/cloud.cfg.d/90-installer-network.cfg << EOL
 network: