From 78926682c9f3b2553c1e7ba21d588a4e2e08bfd0 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Fri, 16 Jun 2017 10:04:07 -0700
Subject: [PATCH] add ip_ranges parameter

---
 NEWS             |  3 +++
 manifests/ssh.pp | 38 +++++++++++++++++++++++++++++---------
 2 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/NEWS b/NEWS
index d54ac21..bdbdd8b 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,9 @@ release/005.007 (unreleased)
     parameter to allow root users to login using ssh key-pairs. Both of
     these parameters are set to have no effect by default. [adamhl]
 
+    [ssh] Add the parameter $ip_ranges. This is an array of iptable
+    addresses that are allowed to access port 22 on this server. [adamhl]
+
 release/005.006 (2017-02-16)
 
     [kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 18bfddb..f7da0e1 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -14,6 +14,22 @@
 # sudo, see the base::sudo class.
 # Default: false
 
+# $ip_ranges: An array of iptables-compatible IP addresses that are
+# allowed to access port 22 on this server.
+# Default:
+#    [
+#      '10.32.0.0/15',
+#      '10.34.0.0/15',
+#      '10.36.0.0/15',
+#      '10.39.0.0/16',
+#      '10.48.0.0/17',
+#      '171.64.0.0/14',
+#      '172.16.0.0/12',
+#      '192.168.0.0/16',
+#      '204.63.224.0/21'
+#    ]
+# (This is historical.)
+
 # $filter_sunetids: ignore "authentication failure" messages for this list
 # of sunetids.
 # Default: the empty array (so don't filter any such messages)
@@ -37,6 +53,18 @@ class base::ssh(
   $pam_afs               = true,
   $pam_duo               = false,
   $pam_slurm             = false,
+  $ip_ranges             =
+    [
+      '10.32.0.0/15',
+      '10.34.0.0/15',
+      '10.36.0.0/15',
+      '10.39.0.0/16',
+      '10.48.0.0/17',
+      '171.64.0.0/14',
+      '172.16.0.0/12',
+      '192.168.0.0/16',
+      '204.63.224.0/21'
+    ],
   $pubkey                = false,
   $root_authorized_keys  = undef,
   $filter_sunetids       = [],
@@ -80,15 +108,7 @@ class base::ssh(
   base::iptables::rule { 'ssh':
     protocol => 'tcp',
     port     => '22',
-    source   => [ '10.32.0.0/15',
-                  '10.34.0.0/15',
-                  '10.36.0.0/15',
-                  '10.39.0.0/16',
-                  '10.48.0.0/17',
-                  '171.64.0.0/14',
-                  '172.16.0.0/12',
-                  '192.168.0.0/16',
-                  '204.63.224.0/21' ],
+    source   => $ip_ranges,
   }
 
   # Ensure the daemon is running.
-- 
GitLab