From 8d2b6978e809004f4bca38d4fef27149497ad309 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:01:48 +0100 Subject: linted --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 31ee3e6c..54f3ea6e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $interface = hiera('interface') # define macro - file { "/etc/shorewall/macro.leap_eip": + file { '/etc/shorewall/macro.leap_eip': content => 'PARAM - - tcp 53,80,443,1194 PARAM - - udp 53,80,443,1194 ', } -- cgit v1.2.3 From c72160f993345c184ce01d7e4c14c9923fc194e9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:48:02 +0100 Subject: move interface definition for eth0 to eip.pp, use variable --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 ---- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 54f3ea6e..0c9bfa9c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,6 +13,13 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } + + # define interfaces + shorewall::interface {"$interface": + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -20,6 +27,7 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } -- cgit v1.2.3 From fa31e200b5cbf4ac9b01a864410d535cbf84420d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:07:07 +0100 Subject: put in double quotes --- puppet/modules/site_shorewall/manifests/eip.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0c9bfa9c..87e1e16f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,9 +13,9 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } - + # define interfaces - shorewall::interface {"$interface": + shorewall::interface { $interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } @@ -31,11 +31,12 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'$interface': - interface => '$interface'; } + shorewall::routestopped { $interface: + interface => $interface; } + - shorewall::masq {'$interface': - interface => '$interface', + shorewall::masq {"$interface": + interface => $interface, source => ''; } shorewall::policy { -- cgit v1.2.3 From d235cd5292783722653ff34b35ce28ff31d30935 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:57:34 +0100 Subject: pass ssh_port to shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 87e1e16f..230752dc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,15 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] # define macro file { '/etc/shorewall/macro.leap_eip': - content => 'PARAM - - tcp 53,80,443,1194 + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } # define interfaces -- cgit v1.2.3 From 1f7dbac75c5c2a610ca4e6763109fd3e06c9072a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:25:11 +0100 Subject: configure tcp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 230752dc..0849d711 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,9 +37,9 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq {"$interface": + shorewall::masq { $interface: interface => $interface, - source => ''; } + source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d89ea18da5dd520bf71df42e15b813b706e2189 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:46:04 +0100 Subject: configure tcp+udp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0849d711..5105b85a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -39,7 +39,11 @@ PARAM - - udp 53,80,443,1194 shorewall::masq { $interface: interface => $interface, - source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + + shorewall::masq { $interface: + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 04d324a61cb33ff282e2dc3228e25723b564ea1f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:49:14 +0100 Subject: differentiate masq definition names --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_shorewall/manifests') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 5105b85a..a5af0dde 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,11 +37,11 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_tcp": interface => $interface, source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_udp": interface => $interface, source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } -- cgit v1.2.3