diff options
Diffstat (limited to 'roles/vm-network/templates/firewall.sh_public.j2')
| -rw-r--r-- | roles/vm-network/templates/firewall.sh_public.j2 | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/roles/vm-network/templates/firewall.sh_public.j2 b/roles/vm-network/templates/firewall.sh_public.j2 new file mode 100644 index 00000000..df5b1373 --- /dev/null +++ b/roles/vm-network/templates/firewall.sh_public.j2 @@ -0,0 +1,49 @@ +#!/bin/sh + +PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}" +PUBLIC_IF="$2" +TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}" +UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}" + +##### +IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables" +ICMP="icmp{% if item == 6 %}v6{% endif %}" + +case "$1" in + start) + $IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + $IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + $IPTABLES -A INPUT -i $PUBLIC_IF -j DROP + ;; + stop) + $IPTABLES -D INPUT -i $PUBLIC_IF -j DROP + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + $IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + $IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + ;; + *) + echo "Usage: $0 (start|stop)" + exit 1 + ;; +esac + +exit 0 |