diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2018-12-29 02:43:38 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-29 02:43:38 +0100 |
| commit | 115b4456d5d21bb06cb983f563b05808c8d511b7 (patch) | |
| tree | 8af9874f9d0e10c48d3db617f35f02aee6f5bab3 /inventory/host_vars/ele-router.yml | |
| parent | added more firewall rules to ele-router (diff) | |
ele-router: fix firewall script
Diffstat (limited to 'inventory/host_vars/ele-router.yml')
| -rw-r--r-- | inventory/host_vars/ele-router.yml | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index e690cddc..da10e73c 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -8,20 +8,20 @@ network_internal_zone_names: openwrt_network_external: - # - name: interface 'wan' - # options: - # ifname: eth0 - # proto: dhcp - - name: interface 'wan' options: - ifname: "eth0.{{ network_wan_zone.vlan }}" - accept_ra: 0 - proto: static - ipaddr: "{{ network_wan_zone.prefix | ipaddr(network_wan_zone.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_wan_zone.prefix | ipaddr('netmask') }}" - gateway: "{{ network_wan_zone.gw }}" - dns: "{{ network_wan_zone.dns }}" + ifname: eth0 + proto: dhcp + + # - name: interface 'wan' + # options: + # ifname: "eth0.{{ network_wan_zone.vlan }}" + # accept_ra: 0 + # proto: static + # ipaddr: "{{ network_wan_zone.prefix | ipaddr(network_wan_zone.offsets[inventory_hostname]) | ipaddr('address') }}" + # netmask: "{{ network_wan_zone.prefix | ipaddr('netmask') }}" + # gateway: "{{ network_wan_zone.gw }}" + # dns: "{{ network_wan_zone.dns }}" openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" openwrt_network_internal_yaml: | @@ -168,19 +168,26 @@ openwrt_mixin: iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT - iptables -P INPUT DROP iptables -A FORWARD -i lo -j ACCEPT for zone in "{{ network_internal_zone_names | join('" "') }}"; do network_get_device interface "$zone" network_get_subnets subnets "$zone" + + ### todo: only do this if dhcp is defined in network_zone + iptables -A INPUT -i $interface -p udp --dport 67 --sport 68 -j ACCEPT + iptables -A INPUT -i $interface -p udp --dport 53 -j ACCEPT + iptables -A INPUT -i $interface -p tcp --dport 53 -j ACCEPT + iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT - iptables -A FORWARD -i $WAN_IF -o $interface -m state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -i $WAN_IF -o $interface -m state --state RELATED,ESTABLISHED -j ACCEPT for subnet in $subnets; do iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE done done + + iptables -P INPUT DROP iptables -P FORWARD DROP } |