From 6360e8c96795ebab090e574899e9bd65594590a9 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 26 Dec 2018 20:24:54 +0100
Subject: added more firewall rules to ele-router

---
 inventory/host_vars/ele-router.yml | 38 +++++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 13 deletions(-)

(limited to 'inventory/host_vars/ele-router.yml')

diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 869b5dcb..e690cddc 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -149,7 +149,7 @@ openwrt_mixin:
     file: "{{ global_files_dir }}/common/htoprc"
 
     ## TODO: this script needs to be activated ... probably using a symlink file?
-  /etc/init.d/network-nat:
+  /etc/init.d/network-fw:
     mode: "0755"
     content: |
       #!/bin/sh /etc/rc.common
@@ -160,23 +160,35 @@ openwrt_mixin:
       source /lib/functions/network.sh
 
       network_get_device WAN_IF "wan"
-
-      {% for zone_name in network_internal_zone_names %}
-      network_get_subnets NETS "{{ zone_name }}"
-      {%   if loop.first %}
-      INTERNAL_NETS="$NETS"
-      {%   else %}
-      INTERNAL_NETS="INTERNAL_NETS $NETS"
-      {%   endif %}
-      {% endfor %}
+      network_get_device MGMT_IF "mgmt"
 
       start() {
-        for net in $INTERNAL_NETS; do
-          iptables -t nat -A POSTROUTING -o $WAN_IF -s $net -j MASQUERADE
-        done;
+        iptables -A INPUT -i lo -j ACCEPT
+        iptables -A INPUT -i $MGMT_IF -j ACCEPT
+        iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT
+        iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+        iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT
+        iptables -P INPUT DROP
+
+        iptables -A FORWARD -i lo -j ACCEPT
+        for zone in "{{ network_internal_zone_names | join('" "') }}"; do
+          network_get_device interface "$zone"
+          network_get_subnets subnets "$zone"
+          iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT
+          iptables -A FORWARD -i $WAN_IF -o $interface -m state RELATED,ESTABLISHED -j ACCEPT
+          for subnet in $subnets; do
+            iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT
+            iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE
+          done
+        done
+        iptables -P FORWARD DROP
       }
 
       stop() {
+        iptables -P INPUT ACCEPT
+        iptables INPUT -F
+        iptables -P FORWARD ACCEPT
+        iptables FORWARD -F
         iptables -t nat POSTROUTING -F
       }
 
-- 
cgit v1.2.3