new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli

1 files changed, 40 insertions, 0 deletions

diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp
new file mode 100644
index 00000000..9a89a244
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp
@@ -0,0 +1,40 @@
+#
+# Adds some firewall magic to the stunnel.
+#
+# Using DNAT, this firewall rule allow a locally running program
+# to try to connect to the normal remote IP and remote port of the
+# service on another machine, but have this connection magically
+# routed through the locally running stunnel client.
+#
+# The network looks like this:
+#
+#   From the client's perspective:
+#
+#   |------- stunnel client --------------|    |---------- stunnel server -----------------------|
+#    consumer app -> localhost:accept_port  ->  connect:connect_port -> localhost:original_port
+#
+#   From the server's perspective:
+#
+#   |------- stunnel client --------------|    |---------- stunnel server -----------------------|
+#                                       ??  ->  *:accept_port -> localhost:connect_port -> service
+#
+
+define site_shorewall::stunnel::client(
+  $accept_port,
+  $connect,
+  $connect_port,
+  $original_port) {
+
+  include site_shorewall::defaults
+
+  shorewall::rule {
+    "stunnel_dnat_${name}":
+      action          => 'DNAT',
+      source          => '$FW',
+      destination     => "\$FW:127.0.0.1:${accept_port}",
+      proto           => 'tcp',
+      destinationport => $original_port,
+      originaldest    => $connect,
+      order           => 200
+  }
+}