diff options
author | elijah <elijah@riseup.net> | 2014-06-20 01:58:39 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-06-20 01:58:39 -0700 |
commit | 80809853298f16ce7f27c5202f81b516cfa11d56 (patch) | |
tree | 0ee30e29c706f0c530e3cee8102872a6b02d3b2a /puppet/modules/site_shorewall/manifests/stunnel/client.pp | |
parent | 878d23127dd089e7ffc8a1cd30aeaac0d5a9391b (diff) |
new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli
Diffstat (limited to 'puppet/modules/site_shorewall/manifests/stunnel/client.pp')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/stunnel/client.pp | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp new file mode 100644 index 00000000..9a89a244 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp @@ -0,0 +1,40 @@ +# +# Adds some firewall magic to the stunnel. +# +# Using DNAT, this firewall rule allow a locally running program +# to try to connect to the normal remote IP and remote port of the +# service on another machine, but have this connection magically +# routed through the locally running stunnel client. +# +# The network looks like this: +# +# From the client's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# consumer app -> localhost:accept_port -> connect:connect_port -> localhost:original_port +# +# From the server's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# ?? -> *:accept_port -> localhost:connect_port -> service +# + +define site_shorewall::stunnel::client( + $accept_port, + $connect, + $connect_port, + $original_port) { + + include site_shorewall::defaults + + shorewall::rule { + "stunnel_dnat_${name}": + action => 'DNAT', + source => '$FW', + destination => "\$FW:127.0.0.1:${accept_port}", + proto => 'tcp', + destinationport => $original_port, + originaldest => $connect, + order => 200 + } +} |