winzlieb/network
winzlieb
/
network
forked from zentralwerk/network
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/zentralwerk/network

This commit is contained in:
root 2017-05-29 19:47:45 +02:00
parent 07722b046e 2f202d7b2f
commit 07b838a4da
3 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
salt-pillar/hosts/init.sls
View File

@ -38,6 +38,7 @@ hosts-inet:
ap30: 10.0.0.70 ap30: 10.0.0.70
ap31: 10.0.0.71 ap31: 10.0.0.71
ap32: 10.0.0.72 ap32: 10.0.0.72
monit: 10.0.0.80
mgmt-gw: 10.0.0.254 mgmt-gw: 10.0.0.254
core: core:

45
salt/firewall/mgmt-gw.sh
View File

@ -1,25 +1,24 @@
#!/bin/sh #!/bin/sh
if [ "$IFACE" = "{{ interface }}" ]; then IFACE=mgmt
iptables -F FORWARD iptables -F FORWARD
ip6tables -F FORWARD ip6tables -F FORWARD
iptables -P FORWARD DROP iptables -P FORWARD DROP
ip6tables -P FORWARD DROP ip6tables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
# DNS # DNS
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
# NTP # NTP
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
# collectd # collectd
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
# downloads.lede-project.org # downloads.lede-project.org
iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
# Deny by default # Deny by default
iptables -A FORWARD -j REJECT iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT ip6tables -A FORWARD -j REJECT
fi

4
salt/lxc-containers/config
View File

@ -55,6 +55,10 @@ lxc.network.name={{ net }}
{%- set n = n + 1 %} {%- set n = n + 1 %}
{%- endfor %} {%- endfor %}
{%- if id == 'mgmt-gw' %}
lxc.network.script.up=/etc/network/if-pre-up.d/firewall
{%- endif %}
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod