diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2018-12-26 20:24:54 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-26 20:24:54 +0100 |
| commit | 6360e8c96795ebab090e574899e9bd65594590a9 (patch) | |
| tree | e19cfc2aaa6609221e21696a39f64d61d4e5017b | |
| parent | added elevate accesspoints (WIP) (diff) | |
added more firewall rules to ele-router
| -rw-r--r-- | inventory/host_vars/ele-router.yml | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 869b5dcb..e690cddc 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -149,7 +149,7 @@ openwrt_mixin: file: "{{ global_files_dir }}/common/htoprc" ## TODO: this script needs to be activated ... probably using a symlink file? - /etc/init.d/network-nat: + /etc/init.d/network-fw: mode: "0755" content: | #!/bin/sh /etc/rc.common @@ -160,23 +160,35 @@ openwrt_mixin: source /lib/functions/network.sh network_get_device WAN_IF "wan" - - {% for zone_name in network_internal_zone_names %} - network_get_subnets NETS "{{ zone_name }}" - {% if loop.first %} - INTERNAL_NETS="$NETS" - {% else %} - INTERNAL_NETS="INTERNAL_NETS $NETS" - {% endif %} - {% endfor %} + network_get_device MGMT_IF "mgmt" start() { - for net in $INTERNAL_NETS; do - iptables -t nat -A POSTROUTING -o $WAN_IF -s $net -j MASQUERADE - done; + iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -i $MGMT_IF -j ACCEPT + iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT + iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT + iptables -P INPUT DROP + + iptables -A FORWARD -i lo -j ACCEPT + for zone in "{{ network_internal_zone_names | join('" "') }}"; do + network_get_device interface "$zone" + network_get_subnets subnets "$zone" + iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT + iptables -A FORWARD -i $WAN_IF -o $interface -m state RELATED,ESTABLISHED -j ACCEPT + for subnet in $subnets; do + iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT + iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE + done + done + iptables -P FORWARD DROP } stop() { + iptables -P INPUT ACCEPT + iptables INPUT -F + iptables -P FORWARD ACCEPT + iptables FORWARD -F iptables -t nat POSTROUTING -F } |