diff options
author | Micah Anderson <micah@leap.se> | 2014-11-20 13:13:55 -0500 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2014-11-20 13:13:55 -0500 |
commit | e334f10447303209ac3802436437670f45511603 (patch) | |
tree | daeb240e17e381570e63f47557fdec3485de19da /puppet | |
parent | be18ba31fadd2e587672adc44175dd106187ceba (diff) |
specify the destination IP for DNAT rules for gateway addresses on port 443 (#6388)
Previously the DNAT rule would redirect the incoming port 443 requests
to openvpn, which was the wrong thing to do on the primary IP (but the
right thing to do on the openvpn gateway IPs). This manifested in the
webapp not being available when it was also configured as a service on
the node.
Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/dnat_rule.pp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 49b929f2..f9fbe950 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -10,6 +10,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { @@ -19,6 +20,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } @@ -30,6 +32,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { @@ -39,6 +42,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } |