1 files changed, 75 insertions, 0 deletions

diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
new file mode 100644
index 00000000..4e5a5d48
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -0,0 +1,75 @@
+class site_shorewall::eip {
+
+  include site_shorewall::defaults
+  include site_shorewall::ip_forward
+
+  $openvpn_config = hiera('openvpn')
+  $openvpn_ports  = $openvpn_config['ports']
+  $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
+
+  # define macro for incoming services
+  file { '/etc/shorewall/macro.leap_eip':
+    content => "PARAM   -       -       tcp     1194
+PARAM   -       -       udp     1194
+",
+    notify  => Service['shorewall']
+  }
+
+
+  shorewall::interface {
+    'tun0':
+      zone    => 'eip',
+      options => 'tcpflags,blacklist,nosmurfs';
+    'tun1':
+      zone    => 'eip',
+      options => 'tcpflags,blacklist,nosmurfs'
+  }
+
+
+  shorewall::zone {'eip':
+    type => 'ipv4'; }
+
+  case $::virtual {
+    'virtualbox': {
+      shorewall::masq {
+        'eth0_tcp':
+          interface => 'eth0',
+          source    => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
+        'eth0_udp':
+          interface => 'eth0',
+          source    => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
+    }
+    default: {
+      $interface = $site_shorewall::defaults::interface
+      shorewall::masq {
+        "${interface}_tcp":
+          interface => $interface,
+          source    => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
+
+        "${interface}_udp":
+          interface => $interface,
+          source    => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
+    }
+  }
+
+  shorewall::policy {
+    'eip-to-all':
+      sourcezone      => 'eip',
+      destinationzone => 'all',
+      policy          => 'ACCEPT',
+      order           => 100;
+  }
+
+  shorewall::rule {
+      'net2fw-openvpn':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_eip(ACCEPT)',
+        order       => 200;
+  }
+
+  # create dnat rule for each port
+  #create_resources('site_shorewall::dnat_rule', $openvpn_ports)
+  site_shorewall::dnat_rule { $openvpn_ports: }
+
+}