From 2011199bf9c4fb36c934b2ff7d522971bc4f8dae Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 19 Jan 2019 00:53:46 +0100 Subject: added firewall script for all network setups --- .../media/templates/firewall/elevate-office.sh.j2 | 33 +++++++++++++++++++--- 1 file changed, 29 insertions(+), 4 deletions(-) (limited to 'roles/elevate/media/templates/firewall/elevate-office.sh.j2') diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2 index 041e441b..19cea0db 100644 --- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 +++ b/roles/elevate/media/templates/firewall/elevate-office.sh.j2 @@ -15,13 +15,23 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="192.168.0.250" +LAN_NETMASK="255.255.255.0" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +41,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +55,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +71,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } -- cgit v1.2.3