diff options
author | varac <varacanero@zeromail.org> | 2012-10-12 22:07:19 +0200 |
---|---|---|
committer | varac <varacanero@zeromail.org> | 2012-10-12 22:07:19 +0200 |
commit | 3e11ce4c43282448b032f9ad8e31667fb4b85ccb (patch) | |
tree | 3bc95d3d627d00fbf496b157ec3a3593821b1879 /puppet/modules/site_shorewall | |
parent | b8f727635254453503bd1d9b22e20d69cc23630a (diff) | |
parent | 0eff2049fa8d846dffee3236824b8bc42e581467 (diff) |
Merge branch 'feature/eip' into develop
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/defaults.pp | 17 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 85 |
2 files changed, 102 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..c68b8370 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,17 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + shorewall::interface {'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..0902039c --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,85 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } + + shorewall::interface {'tun0': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + + shorewall::zone {'eip': + type => 'ipv4'; } + + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::masq {'eth0': + interface => 'eth0', + source => ''; } + + shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'SSH(ACCEPT)', + order => 200; + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', + order => 200; + + # eip gw itself to outside + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; + 'fw2all-git': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } +} |