1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
class site_shorewall::eip {
# be safe for development
$shorewall_startup='0'
include site_shorewall::defaults
# define macro
file { "/etc/shorewall/macro.leap_eip":
content => 'PARAM - - tcp 53,80,443,1194
PARAM - - udp 53,80,443,1194
', }
shorewall::interface {'tun0':
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs'; }
shorewall::interface {'tun1':
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs'; }
shorewall::zone {'eip':
type => 'ipv4'; }
shorewall::routestopped {'eth0':
interface => 'eth0'; }
shorewall::masq {'eth0':
interface => 'eth0',
source => ''; }
shorewall::policy {
'eip-to-all':
sourcezone => 'eip',
destinationzone => 'all',
policy => 'ACCEPT',
order => 100;
'all-to-all':
sourcezone => 'all',
destinationzone => 'all',
policy => 'DROP',
order => 200;
}
shorewall::rule {
'all2all-ping':
source => 'all',
destination => 'all',
action => 'Ping(ACCEPT)',
order => 200;
'net2fw-ssh':
source => 'net',
destination => '$FW',
action => 'SSH(ACCEPT)',
order => 200;
'net2fw-openvpn':
source => 'net',
destination => '$FW',
action => 'leap_eip(ACCEPT)',
order => 200;
# eip gw itself to outside
'fw2all-http':
source => '$FW',
destination => 'all',
action => 'HTTP(ACCEPT)',
order => 200;
'fw2all-DNS':
source => '$FW',
destination => 'all',
action => 'DNS(ACCEPT)',
order => 200;
'fw2all-git':
source => '$FW',
destination => 'all',
action => 'Git(ACCEPT)',
order => 200;
'eip2fw-https':
source => 'eip',
destination => '$FW',
action => 'HTTPS(ACCEPT)',
order => 200;
}
}
|