diff --git a/salt-pillar/hosts/init.sls b/salt-pillar/hosts/init.sls index 981ae28..5b8ba95 100644 --- a/salt-pillar/hosts/init.sls +++ b/salt-pillar/hosts/init.sls @@ -38,6 +38,7 @@ hosts-inet: ap30: 10.0.0.70 ap31: 10.0.0.71 ap32: 10.0.0.72 + mgmt-gw: 10.0.0.254 core: server1: 172.20.72.1 @@ -68,6 +69,7 @@ hosts-inet: priv15-gw: 172.20.72.25 priv16-gw: 172.20.72.26 bgp: 172.20.72.27 + mgmt-gw: 172.20.72.28 pub: pub-gw: 172.20.76.1 diff --git a/salt-pillar/lxc-containers/server1.sls b/salt-pillar/lxc-containers/server1.sls index b574ec2..0a5a47e 100644 --- a/salt-pillar/lxc-containers/server1.sls +++ b/salt-pillar/lxc-containers/server1.sls @@ -156,3 +156,11 @@ containers: type: veth gw: serv-gw gw6: serv-gw + + mgmt-gw: + interfaces: + core: + type: veth + gw: upstream1 + mgmt: + type: veth diff --git a/salt/firewall/mgmt-gw.sh b/salt/firewall/mgmt-gw.sh new file mode 100644 index 000000000..b3430ef --- /dev/null +++ b/salt/firewall/mgmt-gw.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ "$IFACE" = "{{ interface }}" ]; then + iptables -F FORWARD + iptables -P FORWARD REJECT + iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT + # DNS + iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT + # NTP + iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT + # collectd + iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT +fi diff --git a/salt/firewall/mgmt-gw.sls b/salt/firewall/mgmt-gw.sls new file mode 100644 index 000000000..06f643c --- /dev/null +++ b/salt/firewall/mgmt-gw.sls @@ -0,0 +1,7 @@ +/etc/network/if-pre-up.d/firewall: + file.managed: + - source: salt://upstream/mgmt-gw.sh + - template: 'jinja' + - mode: 744 + - require: + - pkg: iptables diff --git a/salt/top.sls b/salt/top.sls index 25a3aff..2914d9f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -17,10 +17,12 @@ base: - forwarding - bird - dhcp - 'c3d2-gw or c3d2-anon': + 'c3d2-gw or c3d2-anon or mgmt-gw': - no-ssh - forwarding - bird + 'mgmt-gw': + - firewall.mgmt-gw 'bgp': - no-ssh - forwarding