summaryrefslogtreecommitdiff
path: root/puppet/modules/site_shorewall
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2012-10-12 22:07:19 +0200
committervarac <varacanero@zeromail.org>2012-10-12 22:07:19 +0200
commit3e11ce4c43282448b032f9ad8e31667fb4b85ccb (patch)
tree3bc95d3d627d00fbf496b157ec3a3593821b1879 /puppet/modules/site_shorewall
parentb8f727635254453503bd1d9b22e20d69cc23630a (diff)
parent0eff2049fa8d846dffee3236824b8bc42e581467 (diff)
Merge branch 'feature/eip' into develop
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp17
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp85
2 files changed, 102 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
new file mode 100644
index 00000000..c68b8370
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -0,0 +1,17 @@
+class site_shorewall::defaults {
+ include shorewall
+
+ # If you want logging:
+ shorewall::params {
+ 'LOG': value => 'debug';
+ }
+
+ shorewall::zone {'net': type => 'ipv4'; }
+
+ shorewall::rule_section { 'NEW': order => 10; }
+
+ shorewall::interface {'eth0':
+ zone => 'net',
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
new file mode 100644
index 00000000..0902039c
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -0,0 +1,85 @@
+class site_shorewall::eip {
+
+ # be safe for development
+ $shorewall_startup='0'
+
+ include site_shorewall::defaults
+
+ # define macro
+ file { "/etc/shorewall/macro.leap_eip":
+ content => 'PARAM - - tcp 53,80,443,1194
+PARAM - - udp 53,80,443,1194
+', }
+
+ shorewall::interface {'tun0':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs'; }
+ shorewall::interface {'tun1':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs'; }
+
+ shorewall::zone {'eip':
+ type => 'ipv4'; }
+
+ shorewall::routestopped {'eth0':
+ interface => 'eth0'; }
+
+ shorewall::masq {'eth0':
+ interface => 'eth0',
+ source => ''; }
+
+ shorewall::policy {
+ 'eip-to-all':
+ sourcezone => 'eip',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => 100;
+ 'all-to-all':
+ sourcezone => 'all',
+ destinationzone => 'all',
+ policy => 'DROP',
+ order => 200;
+ }
+
+ shorewall::rule {
+ 'all2all-ping':
+ source => 'all',
+ destination => 'all',
+ action => 'Ping(ACCEPT)',
+ order => 200;
+
+ 'net2fw-ssh':
+ source => 'net',
+ destination => '$FW',
+ action => 'SSH(ACCEPT)',
+ order => 200;
+ 'net2fw-openvpn':
+ source => 'net',
+ destination => '$FW',
+ action => 'leap_eip(ACCEPT)',
+ order => 200;
+
+ # eip gw itself to outside
+ 'fw2all-http':
+ source => '$FW',
+ destination => 'all',
+ action => 'HTTP(ACCEPT)',
+ order => 200;
+ 'fw2all-DNS':
+ source => '$FW',
+ destination => 'all',
+ action => 'DNS(ACCEPT)',
+ order => 200;
+ 'fw2all-git':
+ source => '$FW',
+ destination => 'all',
+ action => 'Git(ACCEPT)',
+ order => 200;
+
+ 'eip2fw-https':
+ source => 'eip',
+ destination => '$FW',
+ action => 'HTTPS(ACCEPT)',
+ order => 200;
+ }
+}