prepare mgmt-gw container
This commit is contained in:
parent
1cf0451184
commit
568fa2102d
|
@ -38,6 +38,7 @@ hosts-inet:
|
||||||
ap30: 10.0.0.70
|
ap30: 10.0.0.70
|
||||||
ap31: 10.0.0.71
|
ap31: 10.0.0.71
|
||||||
ap32: 10.0.0.72
|
ap32: 10.0.0.72
|
||||||
|
mgmt-gw: 10.0.0.254
|
||||||
|
|
||||||
core:
|
core:
|
||||||
server1: 172.20.72.1
|
server1: 172.20.72.1
|
||||||
|
@ -68,6 +69,7 @@ hosts-inet:
|
||||||
priv15-gw: 172.20.72.25
|
priv15-gw: 172.20.72.25
|
||||||
priv16-gw: 172.20.72.26
|
priv16-gw: 172.20.72.26
|
||||||
bgp: 172.20.72.27
|
bgp: 172.20.72.27
|
||||||
|
mgmt-gw: 172.20.72.28
|
||||||
|
|
||||||
pub:
|
pub:
|
||||||
pub-gw: 172.20.76.1
|
pub-gw: 172.20.76.1
|
||||||
|
|
|
@ -156,3 +156,11 @@ containers:
|
||||||
type: veth
|
type: veth
|
||||||
gw: serv-gw
|
gw: serv-gw
|
||||||
gw6: serv-gw
|
gw6: serv-gw
|
||||||
|
|
||||||
|
mgmt-gw:
|
||||||
|
interfaces:
|
||||||
|
core:
|
||||||
|
type: veth
|
||||||
|
gw: upstream1
|
||||||
|
mgmt:
|
||||||
|
type: veth
|
||||||
|
|
13
salt/firewall/mgmt-gw.sh
Normal file
13
salt/firewall/mgmt-gw.sh
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ "$IFACE" = "{{ interface }}" ]; then
|
||||||
|
iptables -F FORWARD
|
||||||
|
iptables -P FORWARD REJECT
|
||||||
|
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
# DNS
|
||||||
|
iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
|
||||||
|
# NTP
|
||||||
|
iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
|
||||||
|
# collectd
|
||||||
|
iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
|
||||||
|
fi
|
7
salt/firewall/mgmt-gw.sls
Normal file
7
salt/firewall/mgmt-gw.sls
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
/etc/network/if-pre-up.d/firewall:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://upstream/mgmt-gw.sh
|
||||||
|
- template: 'jinja'
|
||||||
|
- mode: 744
|
||||||
|
- require:
|
||||||
|
- pkg: iptables
|
|
@ -17,10 +17,12 @@ base:
|
||||||
- forwarding
|
- forwarding
|
||||||
- bird
|
- bird
|
||||||
- dhcp
|
- dhcp
|
||||||
'c3d2-gw or c3d2-anon':
|
'c3d2-gw or c3d2-anon or mgmt-gw':
|
||||||
- no-ssh
|
- no-ssh
|
||||||
- forwarding
|
- forwarding
|
||||||
- bird
|
- bird
|
||||||
|
'mgmt-gw':
|
||||||
|
- firewall.mgmt-gw
|
||||||
'bgp':
|
'bgp':
|
||||||
- no-ssh
|
- no-ssh
|
||||||
- forwarding
|
- forwarding
|
||||||
|
|
Loading…
Reference in New Issue
Block a user