forked from zentralwerk/network
prepare mgmt-gw container
This commit is contained in:
parent
1cf0451184
commit
568fa2102d
|
@ -38,6 +38,7 @@ hosts-inet:
|
|||
ap30: 10.0.0.70
|
||||
ap31: 10.0.0.71
|
||||
ap32: 10.0.0.72
|
||||
mgmt-gw: 10.0.0.254
|
||||
|
||||
core:
|
||||
server1: 172.20.72.1
|
||||
|
@ -68,6 +69,7 @@ hosts-inet:
|
|||
priv15-gw: 172.20.72.25
|
||||
priv16-gw: 172.20.72.26
|
||||
bgp: 172.20.72.27
|
||||
mgmt-gw: 172.20.72.28
|
||||
|
||||
pub:
|
||||
pub-gw: 172.20.76.1
|
||||
|
|
|
@ -156,3 +156,11 @@ containers:
|
|||
type: veth
|
||||
gw: serv-gw
|
||||
gw6: serv-gw
|
||||
|
||||
mgmt-gw:
|
||||
interfaces:
|
||||
core:
|
||||
type: veth
|
||||
gw: upstream1
|
||||
mgmt:
|
||||
type: veth
|
||||
|
|
13
salt/firewall/mgmt-gw.sh
Normal file
13
salt/firewall/mgmt-gw.sh
Normal file
|
@ -0,0 +1,13 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "$IFACE" = "{{ interface }}" ]; then
|
||||
iptables -F FORWARD
|
||||
iptables -P FORWARD REJECT
|
||||
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
# DNS
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||
# NTP
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||
# collectd
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||
fi
|
7
salt/firewall/mgmt-gw.sls
Normal file
7
salt/firewall/mgmt-gw.sls
Normal file
|
@ -0,0 +1,7 @@
|
|||
/etc/network/if-pre-up.d/firewall:
|
||||
file.managed:
|
||||
- source: salt://upstream/mgmt-gw.sh
|
||||
- template: 'jinja'
|
||||
- mode: 744
|
||||
- require:
|
||||
- pkg: iptables
|
|
@ -17,10 +17,12 @@ base:
|
|||
- forwarding
|
||||
- bird
|
||||
- dhcp
|
||||
'c3d2-gw or c3d2-anon':
|
||||
'c3d2-gw or c3d2-anon or mgmt-gw':
|
||||
- no-ssh
|
||||
- forwarding
|
||||
- bird
|
||||
'mgmt-gw':
|
||||
- firewall.mgmt-gw
|
||||
'bgp':
|
||||
- no-ssh
|
||||
- forwarding
|
||||
|
|
Loading…
Reference in New Issue
Block a user