From 77348b800a6cb88e4a2bce76ce81ff333230749d Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 30 Dec 2018 12:25:11 +0100
Subject: accesspoints: added basic firewall

---
 inventory/group_vars/accesspoints/main.yml | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'inventory')

diff --git a/inventory/group_vars/accesspoints/main.yml b/inventory/group_vars/accesspoints/main.yml
index 79d0ec75..632e7e95 100644
--- a/inventory/group_vars/accesspoints/main.yml
+++ b/inventory/group_vars/accesspoints/main.yml
@@ -97,6 +97,37 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K91network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      MGMT_IF=$(uci get network.mgmt.ifname)
+      MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+      MGMT_NETMASK=$(uci get network.mgmt.netmask)
+
+      start() {
+        iptables -A INPUT -i lo -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+      }
+
 
 openwrt_uci:
   system:
-- 
cgit v1.2.3