From 8d543cabedc73c971845844f7fb616b1a8600d30 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 10 Jul 2019 09:33:10 +0200
Subject: ch-router: added firewall script

---
 inventory/host_vars/ch-router.yml | 53 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

(limited to 'inventory')

diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index 1acfc98f..3a5f8e43 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -36,6 +36,59 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K91network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      start() {
+        MAGENTA_IF=$(uci get network.magenta.ifname)
+        MAGENTA_IPADDR=$(uci get network.magenta.ipaddr)
+        MAGENTA_NETMASK=$(uci get network.magenta.netmask)
+
+        MGMT_IF=$(uci get network.mgmt.ifname)
+        MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+        MGMT_NETMASK=$(uci get network.mgmt.netmask)
+
+        SVC_IF=$(uci get "network.svc.ifname")
+        SVC_IPADDR=$(uci get "network.svc.ipaddr")
+        SVC_NETMASK=$(uci get "network.svc.netmask")
+
+
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+
+        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
+        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 22000 -j ACCEPT
+        iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+        iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j SNAT --to "$MAGENTA_IPADDR"
+
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
+      }
+
 
 openwrt_uci:
   system:
-- 
cgit v1.2.3