summaryrefslogtreecommitdiff
path: root/roles/elevate/media
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2019-01-19 00:53:46 +0100
committerChristian Pointner <equinox@spreadspace.org>2019-01-19 00:53:50 +0100
commit2011199bf9c4fb36c934b2ff7d522971bc4f8dae (patch)
tree01fbe7d7ab6cd35980a1bcca03c263f43e45ae10 /roles/elevate/media
parentdocker role can now set the daemon config before it is installed (diff)
added firewall script for all network setups
Diffstat (limited to 'roles/elevate/media')
-rw-r--r--roles/elevate/media/tasks/network.yml2
-rw-r--r--roles/elevate/media/templates/firewall/elevate-festival.sh.j249
-rw-r--r--roles/elevate/media/templates/firewall/elevate-office.sh.j233
-rw-r--r--roles/elevate/media/templates/firewall/lan-only.sh.j233
-rw-r--r--roles/elevate/media/templates/firewall/r3-with-lan.sh.j249
-rw-r--r--roles/elevate/media/templates/firewall/r3.sh.j243
6 files changed, 187 insertions, 22 deletions
diff --git a/roles/elevate/media/tasks/network.yml b/roles/elevate/media/tasks/network.yml
index eb623821..da7dd1db 100644
--- a/roles/elevate/media/tasks/network.yml
+++ b/roles/elevate/media/tasks/network.yml
@@ -14,7 +14,6 @@
- r3-with-lan
- elevate-festival
- elevate-office
- # - dhcp
notify: netplan apply
- name: install firewall scripts
@@ -28,7 +27,6 @@
- r3-with-lan
- elevate-festival
- elevate-office
- # - dhcp
notify: firewall restart
- name: remove default netplan config
diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
index 041e441b..5e7bd98b 100644
--- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
+++ b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
@@ -15,13 +15,39 @@ MANGLE="$IPTABLES -t mangle"
FILTER6="$IP6TABLES -t filter"
MANGLE6="$IP6TABLES -t mangle"
+LAN_IF="{{ network.primary.interface }}"
+LAN_IPADDR="{{ network.primary.ip }}"
+LAN_NETMASK="{{ network.primary.mask }}"
+
+EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}"
+EXT_IPADDR="{{ network_zones.dom.prefix | ipaddr(network_zones.dom.offsets[inventory_hostname]) | ipaddr('address/prefix') }}"
+
+EXT_SERVICES_TCP="80 443 22000"
+EXT_SERVICES_UDP=""
+
#########################
# IPv4 UP #
#########################
ipv4_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+ $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
+ for port in $EXT_SERVICES_TCP; do
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
+ done
+ for port in $EXT_SERVICES_UDP; do
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
+ done
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -31,7 +57,11 @@ ipv4_up() {
#########################
ipv6_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -41,7 +71,13 @@ ipv6_up() {
#########################
ipv4_down() {
- # don't do anything here
+ $MANGLE -F
+ $NAT -F
+ $FILTER -F
+ $FILTER -P INPUT ACCEPT
+ $FILTER -P FORWARD ACCEPT
+ $FILTER -P OUTPUT ACCEPT
+
echo -n "success"
}
@@ -51,6 +87,11 @@ ipv4_down() {
#########################
ipv6_down() {
- # don't do anything here
+ $MANGLE6 -F
+ $FILTER6 -F
+ $FILTER6 -P INPUT ACCEPT
+ $FILTER6 -P FORWARD ACCEPT
+ $FILTER6 -P OUTPUT ACCEPT
+
echo -n "success"
}
diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2
index 041e441b..19cea0db 100644
--- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2
+++ b/roles/elevate/media/templates/firewall/elevate-office.sh.j2
@@ -15,13 +15,23 @@ MANGLE="$IPTABLES -t mangle"
FILTER6="$IP6TABLES -t filter"
MANGLE6="$IP6TABLES -t mangle"
+LAN_IF="{{ network.primary.interface }}"
+LAN_IPADDR="192.168.0.250"
+LAN_NETMASK="255.255.255.0"
+
#########################
# IPv4 UP #
#########################
ipv4_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+ $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -31,7 +41,11 @@ ipv4_up() {
#########################
ipv6_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -41,7 +55,13 @@ ipv6_up() {
#########################
ipv4_down() {
- # don't do anything here
+ $MANGLE -F
+ $NAT -F
+ $FILTER -F
+ $FILTER -P INPUT ACCEPT
+ $FILTER -P FORWARD ACCEPT
+ $FILTER -P OUTPUT ACCEPT
+
echo -n "success"
}
@@ -51,6 +71,11 @@ ipv4_down() {
#########################
ipv6_down() {
- # don't do anything here
+ $MANGLE6 -F
+ $FILTER6 -F
+ $FILTER6 -P INPUT ACCEPT
+ $FILTER6 -P FORWARD ACCEPT
+ $FILTER6 -P OUTPUT ACCEPT
+
echo -n "success"
}
diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2
index 041e441b..9a7db67a 100644
--- a/roles/elevate/media/templates/firewall/lan-only.sh.j2
+++ b/roles/elevate/media/templates/firewall/lan-only.sh.j2
@@ -15,13 +15,23 @@ MANGLE="$IPTABLES -t mangle"
FILTER6="$IP6TABLES -t filter"
MANGLE6="$IP6TABLES -t mangle"
+LAN_IF="{{ network.primary.interface }}"
+LAN_IPADDR="{{ network.primary.ip }}"
+LAN_NETMASK="{{ network.primary.mask }}"
+
#########################
# IPv4 UP #
#########################
ipv4_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+ $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -31,7 +41,11 @@ ipv4_up() {
#########################
ipv6_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -41,7 +55,13 @@ ipv6_up() {
#########################
ipv4_down() {
- # don't do anything here
+ $MANGLE -F
+ $NAT -F
+ $FILTER -F
+ $FILTER -P INPUT ACCEPT
+ $FILTER -P FORWARD ACCEPT
+ $FILTER -P OUTPUT ACCEPT
+
echo -n "success"
}
@@ -51,6 +71,11 @@ ipv4_down() {
#########################
ipv6_down() {
- # don't do anything here
+ $MANGLE6 -F
+ $FILTER6 -F
+ $FILTER6 -P INPUT ACCEPT
+ $FILTER6 -P FORWARD ACCEPT
+ $FILTER6 -P OUTPUT ACCEPT
+
echo -n "success"
}
diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
index 041e441b..4ac1509c 100644
--- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
+++ b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
@@ -15,13 +15,39 @@ MANGLE="$IPTABLES -t mangle"
FILTER6="$IP6TABLES -t filter"
MANGLE6="$IP6TABLES -t mangle"
+LAN_IF="{{ network.primary.interface }}"
+LAN_IPADDR="{{ network.primary.ip }}"
+LAN_NETMASK="{{ network.primary.mask }}"
+
+EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}"
+EXT_IPADDR="89.106.211.61"
+
+EXT_SERVICES_TCP="80 443 22000"
+EXT_SERVICES_UDP=""
+
#########################
# IPv4 UP #
#########################
ipv4_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+ $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
+ for port in $EXT_SERVICES_TCP; do
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
+ done
+ for port in $EXT_SERVICES_UDP; do
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
+ done
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -31,7 +57,11 @@ ipv4_up() {
#########################
ipv6_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -41,7 +71,13 @@ ipv6_up() {
#########################
ipv4_down() {
- # don't do anything here
+ $MANGLE -F
+ $NAT -F
+ $FILTER -F
+ $FILTER -P INPUT ACCEPT
+ $FILTER -P FORWARD ACCEPT
+ $FILTER -P OUTPUT ACCEPT
+
echo -n "success"
}
@@ -51,6 +87,11 @@ ipv4_down() {
#########################
ipv6_down() {
- # don't do anything here
+ $MANGLE6 -F
+ $FILTER6 -F
+ $FILTER6 -P INPUT ACCEPT
+ $FILTER6 -P FORWARD ACCEPT
+ $FILTER6 -P OUTPUT ACCEPT
+
echo -n "success"
}
diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2
index 041e441b..8959951d 100644
--- a/roles/elevate/media/templates/firewall/r3.sh.j2
+++ b/roles/elevate/media/templates/firewall/r3.sh.j2
@@ -15,13 +15,33 @@ MANGLE="$IPTABLES -t mangle"
FILTER6="$IP6TABLES -t filter"
MANGLE6="$IP6TABLES -t mangle"
+EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}"
+EXT_IPADDR="89.106.211.61"
+
+EXT_SERVICES_TCP="80 443 22000"
+EXT_SERVICES_UDP=""
+
#########################
# IPv4 UP #
#########################
ipv4_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
+ for port in $EXT_SERVICES_TCP; do
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
+ done
+ for port in $EXT_SERVICES_UDP; do
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
+ done
+ $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -31,7 +51,11 @@ ipv4_up() {
#########################
ipv6_up() {
- # don't do anything here
+ $FILTER -A INPUT -i lo -j ACCEPT
+
+ $FILTER -P INPUT DROP
+ $FILTER -P FORWARD DROP
+
echo -n "success"
}
@@ -41,7 +65,13 @@ ipv6_up() {
#########################
ipv4_down() {
- # don't do anything here
+ $MANGLE -F
+ $NAT -F
+ $FILTER -F
+ $FILTER -P INPUT ACCEPT
+ $FILTER -P FORWARD ACCEPT
+ $FILTER -P OUTPUT ACCEPT
+
echo -n "success"
}
@@ -51,6 +81,11 @@ ipv4_down() {
#########################
ipv6_down() {
- # don't do anything here
+ $MANGLE6 -F
+ $FILTER6 -F
+ $FILTER6 -P INPUT ACCEPT
+ $FILTER6 -P FORWARD ACCEPT
+ $FILTER6 -P OUTPUT ACCEPT
+
echo -n "success"
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 09:05:25 +0000