diff options
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/dnat_rule.pp | 25 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 28 |
2 files changed, 48 insertions, 5 deletions
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp new file mode 100644 index 00000000..4fc62f85 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -0,0 +1,25 @@ +define site_shorewall::dnat_rule { + + $port = $name + if $port != 1194 { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index e94c7db4..7dee6b7a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,18 +1,22 @@ class site_shorewall::eip { # be safe for development - #$shorewall_startup='0' + $shorewall_startup='0' include site_shorewall::defaults + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + $openvpn_config = hiera('openvpn') + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address $interface = hiera('interface') - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 53,80,443,1194,$ssh_port -PARAM - - udp 53,80,443,1194 + content => "PARAM - - tcp 1194,$ssh_port +PARAM - - udp 1194 ", } @@ -71,6 +75,9 @@ PARAM - - udp 53,80,443,1194 action => 'Ping(ACCEPT)', order => 200; +<<<<<<< HEAD + 'net2fw-openvpn_ssh': +======= # outside to server 'net2fw-ssh': source => 'net', @@ -78,6 +85,7 @@ PARAM - - udp 53,80,443,1194 action => 'SSH(ACCEPT)', order => 200; 'net2fw-openvpn': +>>>>>>> feature/couchdb source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -100,11 +108,21 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; +<<<<<<< HEAD + #'eip2fw-https': + # source => 'eip', +======= # Webfrontend is running on another server #'eip2fw-https': # source => 'eip', +>>>>>>> feature/couchdb # destination => '$FW', # action => 'HTTPS(ACCEPT)', # order => 200; } + + # create dnat rule for each port + #create_resources('site_shorewall::dnat_rule', $openvpn_ports) + site_shorewall::dnat_rule { $openvpn_ports: } + } |