From 3f1364557e1753ca0e8f2efcec9087516f4e0cbe Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 10 Jul 2019 17:21:54 +0200
Subject: added new jumphost

---
 inventory/host_vars/ch-router.yml | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'inventory/host_vars/ch-router.yml')

diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index deaf0371..c3df8e2b 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -65,19 +65,34 @@ openwrt_mixin:
 
         SSH_PORT=$(uci get dropbear.@dropbear[0].Port)
 
+
+        ## Local Traffic
+        #
         iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
         iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
 
+
+        ## WAN Traffic
+        #
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-        iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}"
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT
+
+
+        ## LAN Traffic
+        #
+        iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s 192.168.0.0/16 -j ACCEPT
         iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+        iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT
         iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j SNAT --to "$MAGENTA_IPADDR"
+        iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s 192.168.0.0/16 -j SNAT --to "$MAGENTA_IPADDR"
+
 
+        ## Drop all other inbound traffic
+        #
         iptables -P INPUT DROP
         iptables -P FORWARD DROP
       }
-- 
cgit v1.2.3