summaryrefslogtreecommitdiff
path: root/inventory
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2019-07-10 09:33:10 +0200
committerChristian Pointner <equinox@spreadspace.org>2019-07-10 09:47:55 +0200
commit8d543cabedc73c971845844f7fb616b1a8600d30 (patch)
treea3a60a96bad47dc1cd96dd525454da414ff35c64 /inventory
parentseperate vm/install and vm/define (diff)
ch-router: added firewall script
Diffstat (limited to 'inventory')
-rw-r--r--inventory/host_vars/ch-router.yml53
1 files changed, 53 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index 1acfc98f..3a5f8e43 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -36,6 +36,59 @@ openwrt_mixin:
/etc/htoprc:
file: "{{ global_files_dir }}/common/htoprc"
+ /etc/rc.d/S22network-fw:
+ link: "../init.d/network-fw"
+
+ /etc/rc.d/K91network-fw:
+ link: "../init.d/network-fw"
+
+ /etc/init.d/network-fw:
+ mode: "0755"
+ content: |
+ #!/bin/sh /etc/rc.common
+
+ START=22
+ STOP=91
+
+ start() {
+ MAGENTA_IF=$(uci get network.magenta.ifname)
+ MAGENTA_IPADDR=$(uci get network.magenta.ipaddr)
+ MAGENTA_NETMASK=$(uci get network.magenta.netmask)
+
+ MGMT_IF=$(uci get network.mgmt.ifname)
+ MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+ MGMT_NETMASK=$(uci get network.mgmt.netmask)
+
+ SVC_IF=$(uci get "network.svc.ifname")
+ SVC_IPADDR=$(uci get "network.svc.ipaddr")
+ SVC_NETMASK=$(uci get "network.svc.netmask")
+
+
+ iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+ iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+
+ iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
+ iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 22000 -j ACCEPT
+ iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+ iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+ iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+ iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j SNAT --to "$MAGENTA_IPADDR"
+
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ }
+
+ stop() {
+ iptables -P INPUT ACCEPT
+ iptables -F INPUT
+ iptables -P FORWARD ACCEPT
+ iptables -F FORWARD
+ iptables -t nat -F POSTROUTING
+ }
+
openwrt_uci:
system: