From ebdc942ade4aed78fd7305b4afd54481a619e26f Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 31 Jan 2022 23:59:07 +0100
Subject: rework elevate/media role (WIP)

---
 .../templates/firewall/elevate-festival.sh.j2      | 98 ----------------------
 .../media/templates/firewall/elevate-office.sh.j2  | 82 ------------------
 .../media/templates/firewall/lan-only.sh.j2        | 82 ------------------
 .../media/templates/firewall/r3-with-lan.sh.j2     | 97 ---------------------
 roles/elevate/media/templates/firewall/r3.sh.j2    | 91 --------------------
 5 files changed, 450 deletions(-)
 delete mode 100644 roles/elevate/media/templates/firewall/elevate-festival.sh.j2
 delete mode 100644 roles/elevate/media/templates/firewall/elevate-office.sh.j2
 delete mode 100644 roles/elevate/media/templates/firewall/lan-only.sh.j2
 delete mode 100644 roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
 delete mode 100644 roles/elevate/media/templates/firewall/r3.sh.j2

(limited to 'roles/elevate/media/templates/firewall')

diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
deleted file mode 100644
index c9d6cb88..00000000
--- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
+++ /dev/null
@@ -1,98 +0,0 @@
-#######################
-# Definitions         #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}"
-LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}"
-
-EXT_IF="wg-gwhetzner"
-EXT_IPADDR="192.168.254.2"
-
-EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
-EXT_SERVICES_UDP=""
-
-
-#########################
-# IPv4 UP               #
-#########################
-
-ipv4_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
-
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
-  for port in $EXT_SERVICES_TCP; do
-    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
-  done
-  for port in $EXT_SERVICES_UDP; do
-    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
-  done
-  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 UP               #
-#########################
-
-ipv6_up() {
-  $FILTER6 -A INPUT -i lo -j ACCEPT
-
-  $FILTER6 -P INPUT DROP
-  $FILTER6 -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN             #
-#########################
-
-ipv4_down() {
-  $MANGLE -F
-  $NAT    -F
-  $FILTER -F
-  $FILTER -P INPUT ACCEPT
-  $FILTER -P FORWARD ACCEPT
-  $FILTER -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN             #
-#########################
-
-ipv6_down() {
-  $MANGLE6 -F
-  $FILTER6 -F
-  $FILTER6 -P INPUT ACCEPT
-  $FILTER6 -P FORWARD ACCEPT
-  $FILTER6 -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2
deleted file mode 100644
index 93805cdf..00000000
--- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2
+++ /dev/null
@@ -1,82 +0,0 @@
-#######################
-# Definitions         #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="192.168.0.250"
-LAN_NETMASK="255.255.255.0"
-
-
-#########################
-# IPv4 UP               #
-#########################
-
-ipv4_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
-
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 UP               #
-#########################
-
-ipv6_up() {
-  $FILTER6 -A INPUT -i lo -j ACCEPT
-
-  $FILTER6 -P INPUT DROP
-  $FILTER6 -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN             #
-#########################
-
-ipv4_down() {
-  $MANGLE -F
-  $NAT    -F
-  $FILTER -F
-  $FILTER -P INPUT ACCEPT
-  $FILTER -P FORWARD ACCEPT
-  $FILTER -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN             #
-#########################
-
-ipv6_down() {
-  $MANGLE6 -F
-  $FILTER6 -F
-  $FILTER6 -P INPUT ACCEPT
-  $FILTER6 -P FORWARD ACCEPT
-  $FILTER6 -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2
deleted file mode 100644
index 85f0cde4..00000000
--- a/roles/elevate/media/templates/firewall/lan-only.sh.j2
+++ /dev/null
@@ -1,82 +0,0 @@
-#######################
-# Definitions         #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}"
-LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}"
-
-
-#########################
-# IPv4 UP               #
-#########################
-
-ipv4_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
-
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 UP               #
-#########################
-
-ipv6_up() {
-  $FILTER6 -A INPUT -i lo -j ACCEPT
-
-  $FILTER6 -P INPUT DROP
-  $FILTER6 -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN             #
-#########################
-
-ipv4_down() {
-  $MANGLE -F
-  $NAT    -F
-  $FILTER -F
-  $FILTER -P INPUT ACCEPT
-  $FILTER -P FORWARD ACCEPT
-  $FILTER -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN             #
-#########################
-
-ipv6_down() {
-  $MANGLE6 -F
-  $FILTER6 -F
-  $FILTER6 -P INPUT ACCEPT
-  $FILTER6 -P FORWARD ACCEPT
-  $FILTER6 -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
deleted file mode 100644
index fb2d45a9..00000000
--- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2
+++ /dev/null
@@ -1,97 +0,0 @@
-#######################
-# Definitions         #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-LAN_IF="{{ network.primary.name }}"
-LAN_IPADDR="{{ network.primary.address | ipaddr('address') }}"
-LAN_NETMASK="{{ network.primary.address | ipaddr('netmask') }}"
-
-EXT_IF="{{ network.primary.name }}.{{ network_zones.ccinet.vlan }}"
-EXT_IPADDR="89.106.211.61"
-
-EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
-EXT_SERVICES_UDP=""
-
-
-#########################
-# IPv4 UP               #
-#########################
-
-ipv4_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
-
-  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
-
-  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
-  for port in $EXT_SERVICES_TCP; do
-    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
-  done
-  for port in $EXT_SERVICES_UDP; do
-    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
-  done
-  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 UP               #
-#########################
-
-ipv6_up() {
-  $FILTER6 -A INPUT -i lo -j ACCEPT
-
-  $FILTER6 -P INPUT DROP
-  $FILTER6 -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN             #
-#########################
-
-ipv4_down() {
-  $MANGLE -F
-  $NAT    -F
-  $FILTER -F
-  $FILTER -P INPUT ACCEPT
-  $FILTER -P FORWARD ACCEPT
-  $FILTER -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN             #
-#########################
-
-ipv6_down() {
-  $MANGLE6 -F
-  $FILTER6 -F
-  $FILTER6 -P INPUT ACCEPT
-  $FILTER6 -P FORWARD ACCEPT
-  $FILTER6 -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2
deleted file mode 100644
index a8425825..00000000
--- a/roles/elevate/media/templates/firewall/r3.sh.j2
+++ /dev/null
@@ -1,91 +0,0 @@
-#######################
-# Definitions         #
-#######################
-
-IPTABLES="/sbin/iptables"
-IP6TABLES="/sbin/ip6tables"
-
-[ -x $IPTABLES ] || exit 0
-[ -x $IP6TABLES ] || exit 0
-
-FILTER="$IPTABLES -t filter"
-NAT="$IPTABLES -t nat"
-MANGLE="$IPTABLES -t mangle"
-
-FILTER6="$IP6TABLES -t filter"
-MANGLE6="$IP6TABLES -t mangle"
-
-EXT_IF="{{ network.primary.name }}"
-EXT_IPADDR="89.106.211.61"
-
-EXT_SERVICES_TCP="80 443 {{ ansible_port }}"
-EXT_SERVICES_UDP=""
-
-
-#########################
-# IPv4 UP               #
-#########################
-
-ipv4_up() {
-  $FILTER -A INPUT -i lo -j ACCEPT
-
-  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
-  for port in $EXT_SERVICES_TCP; do
-    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT
-  done
-  for port in $EXT_SERVICES_UDP; do
-    $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT
-  done
-  $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-
-  $FILTER -P INPUT DROP
-  $FILTER -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 UP               #
-#########################
-
-ipv6_up() {
-  $FILTER6 -A INPUT -i lo -j ACCEPT
-
-  $FILTER6 -P INPUT DROP
-  $FILTER6 -P FORWARD DROP
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv4 DOWN             #
-#########################
-
-ipv4_down() {
-  $MANGLE -F
-  $NAT    -F
-  $FILTER -F
-  $FILTER -P INPUT ACCEPT
-  $FILTER -P FORWARD ACCEPT
-  $FILTER -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
-
-
-#########################
-# IPv6 DOWN             #
-#########################
-
-ipv6_down() {
-  $MANGLE6 -F
-  $FILTER6 -F
-  $FILTER6 -P INPUT ACCEPT
-  $FILTER6 -P FORWARD ACCEPT
-  $FILTER6 -P OUTPUT ACCEPT
-
-  echo -n "success"
-}
-- 
cgit v1.2.3