1 files changed, 39 insertions, 4 deletions

diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2
index 041e441b..8959951d 100644
--- a/roles/elevate/media/templates/firewall/r3.sh.j2
+++ b/roles/elevate/media/templates/firewall/r3.sh.j2
@@ -15,13 +15,33 @@ MANGLE="$IPTABLES -t mangle"
 FILTER6="$IP6TABLES -t filter"
 MANGLE6="$IP6TABLES -t mangle"
 
+EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}"
+EXT_IPADDR="89.106.211.61"
+
+EXT_SERVICES_TCP="80 443 22000"
+EXT_SERVICES_UDP=""
+
 
 #########################
 # IPv4 UP               #
 #########################
 
 ipv4_up() {
-  # don't do anything here
+  $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
+  for port in $EXT_SERVICES_TCP; do
+    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
+  done
+  for port in $EXT_SERVICES_UDP; do
+    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
+  done
+  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+
+  $FILTER -P INPUT DROP
+  $FILTER -P FORWARD DROP
+
   echo -n "success"
 }
 
@@ -31,7 +51,11 @@ ipv4_up() {
 #########################
 
 ipv6_up() {
-  # don't do anything here
+  $FILTER -A INPUT -i lo -j ACCEPT
+
+  $FILTER -P INPUT DROP
+  $FILTER -P FORWARD DROP
+
   echo -n "success"
 }
 
@@ -41,7 +65,13 @@ ipv6_up() {
 #########################
 
 ipv4_down() {
-  # don't do anything here
+  $MANGLE -F
+  $NAT    -F
+  $FILTER -F
+  $FILTER -P INPUT ACCEPT
+  $FILTER -P FORWARD ACCEPT
+  $FILTER -P OUTPUT ACCEPT
+
   echo -n "success"
 }
 
@@ -51,6 +81,11 @@ ipv4_down() {
 #########################
 
 ipv6_down() {
-  # don't do anything here
+  $MANGLE6 -F
+  $FILTER6 -F
+  $FILTER6 -P INPUT ACCEPT
+  $FILTER6 -P FORWARD ACCEPT
+  $FILTER6 -P OUTPUT ACCEPT
+
   echo -n "success"
 }