diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2019-01-19 00:53:46 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2019-01-19 00:53:50 +0100 |
| commit | 2011199bf9c4fb36c934b2ff7d522971bc4f8dae (patch) | |
| tree | 01fbe7d7ab6cd35980a1bcca03c263f43e45ae10 /roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 | |
| parent | docker role can now set the daemon config before it is installed (diff) | |
added firewall script for all network setups
Diffstat (limited to 'roles/elevate/media/templates/firewall/r3-with-lan.sh.j2')
| -rw-r--r-- | roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 | 49 |
1 files changed, 45 insertions, 4 deletions
diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 index 041e441b..4ac1509c 100644 --- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 +++ b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 @@ -15,13 +15,39 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="{{ network.primary.ip }}" +LAN_NETMASK="{{ network.primary.mask }}" + +EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}" +EXT_IPADDR="89.106.211.61" + +EXT_SERVICES_TCP="80 443 22000" +EXT_SERVICES_UDP="" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT + for port in $EXT_SERVICES_TCP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT + done + for port in $EXT_SERVICES_UDP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT + done + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +57,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +71,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +87,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } |