accesspoints: added basic firewall

author: Christian Pointner <equinox@spreadspace.org> 2018-12-30 12:25:11 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2018-12-30 12:25:11 +0100
commit: 77348b800a6cb88e4a2bce76ce81ff333230749d (patch)
tree: 33e211eb233c8dbd554fb2a6320ba067101a9da6 /inventory
parent: dolmetsch-ctl: also block potentially forwarded traffic with iptables (diff)
1 files changed, 31 insertions, 0 deletions
diff --git a/inventory/group_vars/accesspoints/main.yml b/inventory/group_vars/accesspoints/main.yml
index 79d0ec75..632e7e95 100644
--- a/inventory/group_vars/accesspoints/main.yml
+++ b/inventory/group_vars/accesspoints/main.yml
@@ -97,6 +97,37 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K91network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      MGMT_IF=$(uci get network.mgmt.ifname)
+      MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+      MGMT_NETMASK=$(uci get network.mgmt.netmask)
+
+      start() {
+        iptables -A INPUT -i lo -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+      }
+
 
 openwrt_uci:
   system:
author	Christian Pointner <equinox@spreadspace.org>	2018-12-30 12:25:11 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2018-12-30 12:25:11 +0100
commit	77348b800a6cb88e4a2bce76ce81ff333230749d (patch)
tree	33e211eb233c8dbd554fb2a6320ba067101a9da6 /inventory
parent	dolmetsch-ctl: also block potentially forwarded traffic with iptables (diff)