fix firewall scripts

author: Christian Pointner <equinox@spreadspace.org> 2019-01-19 02:15:00 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2019-01-19 02:15:00 +0100
commit: 75ecd447521bc2f9d7d5891da61f20f2c33345e8 (patch)
tree: cdf6f8efe1d0d7f4aead983245894930746582fd /roles/elevate
parent: added firewall script for all network setups (diff)
5 files changed, 18 insertions, 16 deletions
diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
index 5e7bd98b..3daf2836 100644
--- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
+++ b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
@@ -20,7 +20,7 @@ LAN_IPADDR="{{ network.primary.ip }}"
 LAN_NETMASK="{{ network.primary.mask }}"
 
 EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}"
-EXT_IPADDR="{{ network_zones.dom.prefix | ipaddr(network_zones.dom.offsets[inventory_hostname]) | ipaddr('address/prefix') }}"
+EXT_IPADDR="{{ network_zones.dom.prefix | ipaddr(network_zones.dom.offsets[inventory_hostname]) | ipaddr('address') }}"
 
 EXT_SERVICES_TCP="80 443 22000"
 EXT_SERVICES_UDP=""
@@ -57,10 +57,10 @@ ipv4_up() {
 #########################
 
 ipv6_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
+  $FILTER6 -A INPUT -i lo -j ACCEPT
 
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
+  $FILTER6 -P INPUT DROP
+  $FILTER6 -P FORWARD DROP
 
   echo -n "success"
 }
diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2
index 19cea0db..26ee5afe 100644
--- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2
+++ b/roles/elevate/media/templates/firewall/elevate-office.sh.j2
@@ -28,6 +28,7 @@ ipv4_up() {
   $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
 
   $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
   $FILTER -P INPUT DROP
   $FILTER -P FORWARD DROP
@@ -41,10 +42,10 @@ ipv4_up() {
 #########################
 
 ipv6_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
+  $FILTER6 -A INPUT -i lo -j ACCEPT
 
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
+  $FILTER6 -P INPUT DROP
+  $FILTER6 -P FORWARD DROP
 
   echo -n "success"
 }
diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2
index 9a7db67a..aa9f03d8 100644
--- a/roles/elevate/media/templates/firewall/lan-only.sh.j2
+++ b/roles/elevate/media/templates/firewall/lan-only.sh.j2
@@ -28,6 +28,7 @@ ipv4_up() {
   $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
 
   $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
   $FILTER -P INPUT DROP
   $FILTER -P FORWARD DROP
@@ -41,10 +42,10 @@ ipv4_up() {
 #########################
 
 ipv6_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
+  $FILTER6 -A INPUT -i lo -j ACCEPT
 
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
+  $FILTER6 -P INPUT DROP
+  $FILTER6 -P FORWARD DROP
 
   echo -n "success"
 }
diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
index 4ac1509c..20eca653 100644
--- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
+++ b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
@@ -57,10 +57,10 @@ ipv4_up() {
 #########################
 
 ipv6_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
+  $FILTER6 -A INPUT -i lo -j ACCEPT
 
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
+  $FILTER6 -P INPUT DROP
+  $FILTER6 -P FORWARD DROP
 
   echo -n "success"
 }
diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2
index 8959951d..6ee29631 100644
--- a/roles/elevate/media/templates/firewall/r3.sh.j2
+++ b/roles/elevate/media/templates/firewall/r3.sh.j2
@@ -51,10 +51,10 @@ ipv4_up() {
 #########################
 
 ipv6_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
+  $FILTER6 -A INPUT -i lo -j ACCEPT
 
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
+  $FILTER6 -P INPUT DROP
+  $FILTER6 -P FORWARD DROP
 
   echo -n "success"
 }
author	Christian Pointner <equinox@spreadspace.org>	2019-01-19 02:15:00 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2019-01-19 02:15:00 +0100
commit	75ecd447521bc2f9d7d5891da61f20f2c33345e8 (patch)
tree	cdf6f8efe1d0d7f4aead983245894930746582fd /roles/elevate
parent	added firewall script for all network setups (diff)