summaryrefslogtreecommitdiff
path: root/puppet/modules/site_shorewall
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r--puppet/modules/site_shorewall/manifests/dnat_rule.pp25
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp42
2 files changed, 49 insertions, 18 deletions
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
new file mode 100644
index 00000000..4fc62f85
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -0,0 +1,25 @@
+define site_shorewall::dnat_rule {
+
+ $port = $name
+ if $port != 1194 {
+ shorewall::rule {
+ "dnat_tcp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194",
+ proto => 'tcp',
+ destinationport => $port,
+ order => 100;
+ }
+
+ shorewall::rule {
+ "dnat_udp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194",
+ proto => 'udp',
+ destinationport => $port,
+ order => 100;
+ }
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 34268125..7a86db21 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,18 +1,24 @@
class site_shorewall::eip {
# be safe for development
- #$shorewall_startup='0'
+ $shorewall_startup='0'
include site_shorewall::defaults
- $interface = hiera('interface')
- $ssh_config = hiera('ssh')
- $ssh_port = $ssh_config['port']
+ $interface = hiera('interface')
+ $ssh_config = hiera('ssh')
+ $ssh_port = $ssh_config['port']
+ $openvpn_config = hiera('openvpn')
+ $openvpn_ports = $openvpn_config['ports']
+ $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address
- # define macro
+ notify {"openvpn: $openvpn":}
+ notify {"openvpn_ports: $openvpn_ports":}
+
+ # define macro, allowing incoming openvpn and ssh
file { '/etc/shorewall/macro.leap_eip':
- content => "PARAM - - tcp 53,80,443,1194,$ssh_port
-PARAM - - udp 53,80,443,1194
+ content => "PARAM - - tcp 1194,$ssh_port
+PARAM - - udp 1194
", }
@@ -65,12 +71,7 @@ PARAM - - udp 53,80,443,1194
action => 'Ping(ACCEPT)',
order => 200;
- 'net2fw-ssh':
- source => 'net',
- destination => '$FW',
- action => 'SSH(ACCEPT)',
- order => 200;
- 'net2fw-openvpn':
+ 'net2fw-openvpn_ssh':
source => 'net',
destination => '$FW',
action => 'leap_eip(ACCEPT)',
@@ -93,10 +94,15 @@ PARAM - - udp 53,80,443,1194
action => 'Git(ACCEPT)',
order => 200;
- 'eip2fw-https':
- source => 'eip',
- destination => '$FW',
- action => 'HTTPS(ACCEPT)',
- order => 200;
+ #'eip2fw-https':
+ # source => 'eip',
+ # destination => '$FW',
+ # action => 'HTTPS(ACCEPT)',
+ # order => 200;
}
+
+ # create dnat rule for each port
+ #create_resources('site_shorewall::dnat_rule', $openvpn_ports)
+ site_shorewall::dnat_rule { $openvpn_ports: }
+
}