Disallow intra-client connectivity (#8272).

If you connect to the VPN with a client, you can make direct network
connections to the other connected clients.

This allows communication to the eip gateways, but disallows any other
connections.

Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93

1 files changed, 34 insertions, 0 deletions

diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 8fbba658..d608d08c 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -84,6 +84,40 @@ class site_shorewall::eip {
       proto           => 'tcp',
       destinationport => 'domain',
       order           => 301;
+
+    'accept_all_eip_to_eip_gateway_udp_unlimited':
+      action          => 'ACCEPT',
+      source          => 'eip',
+      destination     => 'eip:10.41.0.1',
+      proto           => 'all',
+      order           => 302;
+
+    'accept_all_eip_to_eip_gateway_tcp_unlimited':
+      action          => 'ACCEPT',
+      source          => 'eip',
+      destination     => 'eip:10.42.0.1',
+      proto           => 'all',
+      order           => 303;
+
+    'accept_all_eip_to_eip_gateway_udp_limited':
+      action          => 'ACCEPT',
+      source          => 'eip',
+      destination     => 'eip:10.43.0.1',
+      proto           => 'all',
+      order           => 302;
+
+    'accept_all_eip_to_eip_gateway_tcp_limited':
+      action          => 'ACCEPT',
+      source          => 'eip',
+      destination     => 'eip:10.44.0.1',
+      proto           => 'all',
+      order           => 303;
+
+    'reject_all_other_eip_to_eip':
+      action          => 'REJECT',
+      source          => 'eip',
+      destination     => 'eip',
+      order           => 304;
   }
 
   # create dnat rule for each port