From 49f0c54a05f6b542367f8ef4538316ba2eaac6cd Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Jun 2014 01:58:39 -0700 Subject: new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli --- .../site_shorewall/manifests/stunnel/client.pp | 40 ++++++++++++++++++++++ .../site_shorewall/manifests/stunnel/server.pp | 22 ++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/stunnel/client.pp create mode 100644 puppet/modules/site_shorewall/manifests/stunnel/server.pp (limited to 'puppet/modules/site_shorewall/manifests/stunnel') diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp new file mode 100644 index 00000000..9a89a244 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp @@ -0,0 +1,40 @@ +# +# Adds some firewall magic to the stunnel. +# +# Using DNAT, this firewall rule allow a locally running program +# to try to connect to the normal remote IP and remote port of the +# service on another machine, but have this connection magically +# routed through the locally running stunnel client. +# +# The network looks like this: +# +# From the client's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# consumer app -> localhost:accept_port -> connect:connect_port -> localhost:original_port +# +# From the server's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# ?? -> *:accept_port -> localhost:connect_port -> service +# + +define site_shorewall::stunnel::client( + $accept_port, + $connect, + $connect_port, + $original_port) { + + include site_shorewall::defaults + + shorewall::rule { + "stunnel_dnat_${name}": + action => 'DNAT', + source => '$FW', + destination => "\$FW:127.0.0.1:${accept_port}", + proto => 'tcp', + destinationport => $original_port, + originaldest => $connect, + order => 200 + } +} diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp new file mode 100644 index 00000000..db3ecd3e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp @@ -0,0 +1,22 @@ +# +# Allow all incoming connections to stunnel server port +# + +define site_shorewall::stunnel::server($port) { + + include site_shorewall::defaults + + file { "/etc/shorewall/macro.stunnel_server_${name}": + content => "PARAM - - tcp ${port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + shorewall::rule { + 'net2fw-couchdb': + source => 'net', + destination => '$FW', + action => "stunnel_server_${name}(ACCEPT)", + order => 200; + } + +} \ No newline at end of file -- cgit v1.2.3 From bc42e9bd3a86bb858ef853cf333242c81874209b Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Jun 2014 14:34:53 -0700 Subject: stunnel: make site_mx and site_webapp use new site_stunnel --- puppet/modules/site_shorewall/manifests/stunnel/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests/stunnel') diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp index db3ecd3e..798cd631 100644 --- a/puppet/modules/site_shorewall/manifests/stunnel/server.pp +++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp @@ -12,7 +12,7 @@ define site_shorewall::stunnel::server($port) { require => Package['shorewall'] } shorewall::rule { - 'net2fw-couchdb': + "net2fw-stunnel-server-${name}": source => 'net', destination => '$FW', action => "stunnel_server_${name}(ACCEPT)", -- cgit v1.2.3