diff options
| -rw-r--r-- | puppet/modules/site_config/manifests/eip.pp | 2 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/defaults.pp | 26 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 42 |
3 files changed, 70 insertions, 0 deletions
diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 2c696d21..95f9dbf4 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -24,4 +24,6 @@ class site_config::eip { push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } + + include site_shorewall::eip } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..cfe7bae2 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,26 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {$shorewall_main_interface: + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..bfa77206 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,42 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + shorewall::interface {'tun0': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': + type => 'ipv4'; } + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + 'all2all-ssh': + source => 'all', + destination => 'all', + action => 'SSH(ACCEPT)', + order => 200; + 'all2all-openvpn': + source => 'all', + destination => 'all', + action => 'OpenVPN(ACCEPT)', + order => 200; + } +} |