add firewall.priv-stateful for priv13-gw
This commit is contained in:
parent
d278669f64
commit
b75dc44dcf
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh
|
||||
|
||||
export PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
if [ echo "$IFACE" | grep priv >/dev/null ]; then
|
||||
iptables -F FORWARD
|
||||
ip6tables -F FORWARD
|
||||
iptables -P FORWARD DROP
|
||||
ip6tables -P FORWARD DROP
|
||||
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||
# loopback
|
||||
iptables -A FORWARD -i lo -j ACCEPT
|
||||
ip6tables -A FORWARD -i lo -j ACCEPT
|
||||
# DHCP
|
||||
iptables -A FORWARD -i $IFACE -p udp --dport 67 -j ACCEPT
|
||||
# Deny by default
|
||||
iptables -A FORWARD -j REJECT
|
||||
ip6tables -A FORWARD -j REJECT
|
||||
fi
|
|
@ -0,0 +1,10 @@
|
|||
iptables:
|
||||
pkg.installed: []
|
||||
|
||||
/etc/network/if-pre-up.d/firewall:
|
||||
file.managed:
|
||||
- source: salt://firewall/priv-stateful.sh
|
||||
- template: 'jinja'
|
||||
- mode: 744
|
||||
- require:
|
||||
- pkg: iptables
|
|
@ -12,6 +12,8 @@ base:
|
|||
- forwarding
|
||||
- bird
|
||||
- dhcp
|
||||
'priv13-gw':
|
||||
- firewall.priv-stateful
|
||||
'pub-gw or serv-gw':
|
||||
- no-ssh
|
||||
- forwarding
|
||||
|
|
Loading…
Reference in New Issue