diff options
Diffstat (limited to 'inventory')
-rw-r--r-- | inventory/group_vars/elevate-festival/main.yml | 4 | ||||
-rw-r--r-- | inventory/host_vars/ele-router.yml | 54 |
2 files changed, 32 insertions, 26 deletions
diff --git a/inventory/group_vars/elevate-festival/main.yml b/inventory/group_vars/elevate-festival/main.yml index 2d2b3d70..649335f7 100644 --- a/inventory/group_vars/elevate-festival/main.yml +++ b/inventory/group_vars/elevate-festival/main.yml @@ -36,6 +36,10 @@ network_zones: mixer: vlan: 48 prefix: 192.168.48.0/24 + offsets: + kuschelbaer: 48 + atem: 208 + x32: 216 infoscreens: vlan: 73 diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index da10e73c..2d5cb1b3 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -148,43 +148,45 @@ openwrt_mixin: /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" - ## TODO: this script needs to be activated ... probably using a symlink file? + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K91network-fw: + link: "../init.d/network-fw" + /etc/init.d/network-fw: mode: "0755" content: | #!/bin/sh /etc/rc.common START=22 - STOP=90 + STOP=91 - source /lib/functions/network.sh - - network_get_device WAN_IF "wan" - network_get_device MGMT_IF "mgmt" + WAN_IF=$(uci get network.wan.ifname) + MGMT_IF=$(uci get network.mgmt.ifname) + MGMT_IPADDR=$(uci get network.mgmt.ipaddr) + MGMT_NETMASK=$(uci get network.mgmt.netmask) start() { + iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -i $MGMT_IF -j ACCEPT - iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT - iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i lo -j ACCEPT for zone in "{{ network_internal_zone_names | join('" "') }}"; do - network_get_device interface "$zone" - network_get_subnets subnets "$zone" + interface=$(uci get "network.$zone.ifname") + ipaddr=$(uci get "network.$zone.ipaddr") + netmask=$(uci get "network.$zone.netmask") ### todo: only do this if dhcp is defined in network_zone - iptables -A INPUT -i $interface -p udp --dport 67 --sport 68 -j ACCEPT - iptables -A INPUT -i $interface -p udp --dport 53 -j ACCEPT - iptables -A INPUT -i $interface -p tcp --dport 53 -j ACCEPT - - iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT - iptables -A FORWARD -i $WAN_IF -o $interface -m state --state RELATED,ESTABLISHED -j ACCEPT - for subnet in $subnets; do - iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT - iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE - done + iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT + iptables -A INPUT -i "$interface" -p udp --dport 53 -j ACCEPT + iptables -A INPUT -i "$interface" -p tcp --dport 53 -j ACCEPT + + iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE done iptables -P INPUT DROP @@ -193,10 +195,10 @@ openwrt_mixin: stop() { iptables -P INPUT ACCEPT - iptables INPUT -F + iptables -F INPUT iptables -P FORWARD ACCEPT - iptables FORWARD -F - iptables -t nat POSTROUTING -F + iptables -F FORWARD + iptables -t nat -F POSTROUTING } |