2 files changed, 102 insertions, 0 deletions

diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
new file mode 100644
index 00000000..c68b8370
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -0,0 +1,17 @@
+class site_shorewall::defaults {
+  include shorewall
+
+  # If you want logging:
+  shorewall::params {
+    'LOG': value => 'debug';
+  }
+
+  shorewall::zone {'net': type => 'ipv4'; }
+
+  shorewall::rule_section { 'NEW': order => 10; }
+
+  shorewall::interface {'eth0':
+    zone      => 'net',
+    options   => 'tcpflags,blacklist,nosmurfs';
+  }
+}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
new file mode 100644
index 00000000..0902039c
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -0,0 +1,85 @@
+class site_shorewall::eip {
+
+  # be safe for development
+  $shorewall_startup='0'
+
+  include site_shorewall::defaults
+
+  # define macro
+  file { "/etc/shorewall/macro.leap_eip":
+    content => 'PARAM   -       -       tcp     53,80,443,1194
+PARAM   -       -       udp     53,80,443,1194
+', }
+
+  shorewall::interface    {'tun0':
+    zone    => 'eip',
+    options => 'tcpflags,blacklist,nosmurfs'; }
+  shorewall::interface    {'tun1':
+    zone    => 'eip',
+    options => 'tcpflags,blacklist,nosmurfs'; }
+
+  shorewall::zone         {'eip':
+    type => 'ipv4'; }
+
+  shorewall::routestopped {'eth0':
+    interface => 'eth0'; }
+
+  shorewall::masq {'eth0':
+    interface => 'eth0',
+    source    => ''; }
+
+  shorewall::policy {
+    'eip-to-all':
+      sourcezone      => 'eip',
+      destinationzone => 'all',
+      policy          => 'ACCEPT',
+      order           => 100;
+    'all-to-all':
+      sourcezone      => 'all',
+      destinationzone => 'all',
+      policy          => 'DROP',
+      order           => 200;
+  }
+
+  shorewall::rule {
+      'all2all-ping':
+        source      => 'all',
+        destination => 'all',
+        action      => 'Ping(ACCEPT)',
+        order       => 200;
+
+      'net2fw-ssh':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'SSH(ACCEPT)',
+        order       => 200;
+      'net2fw-openvpn':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_eip(ACCEPT)',
+        order       => 200;
+
+      # eip gw itself to outside
+      'fw2all-http':
+        source      => '$FW',
+        destination => 'all',
+        action      => 'HTTP(ACCEPT)',
+        order       => 200;
+      'fw2all-DNS':
+        source      => '$FW',
+        destination => 'all',
+        action      => 'DNS(ACCEPT)',
+        order       => 200;
+      'fw2all-git':
+        source      => '$FW',
+        destination => 'all',
+        action      => 'Git(ACCEPT)',
+        order       => 200;
+
+      'eip2fw-https':
+        source      => 'eip',
+        destination => '$FW',
+        action      => 'HTTPS(ACCEPT)',
+        order       => 200;
+  }
+}