From 115b4456d5d21bb06cb983f563b05808c8d511b7 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 29 Dec 2018 02:43:38 +0100
Subject: ele-router: fix firewall script

---
 inventory/host_vars/ele-router.yml | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

(limited to 'inventory/host_vars/ele-router.yml')

diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index e690cddc..da10e73c 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -8,20 +8,20 @@ network_internal_zone_names:
 
 
 openwrt_network_external:
-  # - name: interface 'wan'
-  #   options:
-  #     ifname: eth0
-  #     proto: dhcp
-
   - name: interface 'wan'
     options:
-      ifname: "eth0.{{ network_wan_zone.vlan }}"
-      accept_ra: 0
-      proto: static
-      ipaddr: "{{ network_wan_zone.prefix | ipaddr(network_wan_zone.offsets[inventory_hostname]) | ipaddr('address') }}"
-      netmask: "{{ network_wan_zone.prefix | ipaddr('netmask') }}"
-      gateway: "{{ network_wan_zone.gw }}"
-      dns: "{{ network_wan_zone.dns }}"
+      ifname: eth0
+      proto: dhcp
+
+  # - name: interface 'wan'
+  #   options:
+  #     ifname: "eth0.{{ network_wan_zone.vlan }}"
+  #     accept_ra: 0
+  #     proto: static
+  #     ipaddr: "{{ network_wan_zone.prefix | ipaddr(network_wan_zone.offsets[inventory_hostname]) | ipaddr('address') }}"
+  #     netmask: "{{ network_wan_zone.prefix | ipaddr('netmask') }}"
+  #     gateway: "{{ network_wan_zone.gw }}"
+  #     dns: "{{ network_wan_zone.dns }}"
 
 openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}"
 openwrt_network_internal_yaml: |
@@ -168,19 +168,26 @@ openwrt_mixin:
         iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT
         iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
         iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT
-        iptables -P INPUT DROP
 
         iptables -A FORWARD -i lo -j ACCEPT
         for zone in "{{ network_internal_zone_names | join('" "') }}"; do
           network_get_device interface "$zone"
           network_get_subnets subnets "$zone"
+
+          ### todo: only do this if dhcp is defined in network_zone
+          iptables -A INPUT -i $interface -p udp --dport 67 --sport 68 -j ACCEPT
+          iptables -A INPUT -i $interface -p udp --dport 53 -j ACCEPT
+          iptables -A INPUT -i $interface -p tcp --dport 53 -j ACCEPT
+
           iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT
-          iptables -A FORWARD -i $WAN_IF -o $interface -m state RELATED,ESTABLISHED -j ACCEPT
+          iptables -A FORWARD -i $WAN_IF -o $interface -m state --state RELATED,ESTABLISHED -j ACCEPT
           for subnet in $subnets; do
             iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT
             iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE
           done
         done
+
+        iptables -P INPUT DROP
         iptables -P FORWARD DROP
       }
 
-- 
cgit v1.2.3