diff options
author | Christian Pointner <equinox@spreadspace.org> | 2019-01-19 00:53:46 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2019-01-19 00:53:50 +0100 |
commit | 2011199bf9c4fb36c934b2ff7d522971bc4f8dae (patch) | |
tree | 01fbe7d7ab6cd35980a1bcca03c263f43e45ae10 /roles/elevate/media/templates/firewall/lan-only.sh.j2 | |
parent | docker role can now set the daemon config before it is installed (diff) |
added firewall script for all network setups
Diffstat (limited to 'roles/elevate/media/templates/firewall/lan-only.sh.j2')
-rw-r--r-- | roles/elevate/media/templates/firewall/lan-only.sh.j2 | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2 index 041e441b..9a7db67a 100644 --- a/roles/elevate/media/templates/firewall/lan-only.sh.j2 +++ b/roles/elevate/media/templates/firewall/lan-only.sh.j2 @@ -15,13 +15,23 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="{{ network.primary.ip }}" +LAN_NETMASK="{{ network.primary.mask }}" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +41,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +55,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +71,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } |