diff options
author | elijah <elijah@riseup.net> | 2014-06-20 01:58:39 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-06-25 18:17:22 -0700 |
commit | 49f0c54a05f6b542367f8ef4538316ba2eaac6cd (patch) | |
tree | c4d26dee9c7fb9f0056da062371ca30d292ce082 /puppet/modules/site_shorewall/manifests/stunnel/client.pp | |
parent | 6df59b9f579134a9521aafb71727a98fdc92e19a (diff) |
new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli
Diffstat (limited to 'puppet/modules/site_shorewall/manifests/stunnel/client.pp')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/stunnel/client.pp | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp new file mode 100644 index 00000000..9a89a244 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp @@ -0,0 +1,40 @@ +# +# Adds some firewall magic to the stunnel. +# +# Using DNAT, this firewall rule allow a locally running program +# to try to connect to the normal remote IP and remote port of the +# service on another machine, but have this connection magically +# routed through the locally running stunnel client. +# +# The network looks like this: +# +# From the client's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# consumer app -> localhost:accept_port -> connect:connect_port -> localhost:original_port +# +# From the server's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# ?? -> *:accept_port -> localhost:connect_port -> service +# + +define site_shorewall::stunnel::client( + $accept_port, + $connect, + $connect_port, + $original_port) { + + include site_shorewall::defaults + + shorewall::rule { + "stunnel_dnat_${name}": + action => 'DNAT', + source => '$FW', + destination => "\$FW:127.0.0.1:${accept_port}", + proto => 'tcp', + destinationport => $original_port, + originaldest => $connect, + order => 200 + } +} |