zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 4 Pull Requests 1 Releases Wiki Activity

add firewall.priv-stateful for priv13-gw

This commit is contained in:
Astro 2018-04-14 21:42:54 +02:00
parent d278669f64
commit b75dc44dcf
3 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
salt/firewall/priv-stateful.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin
if [ echo "$IFACE" | grep priv >/dev/null ]; then
iptables -F FORWARD
ip6tables -F FORWARD
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
# loopback
iptables -A FORWARD -i lo -j ACCEPT
ip6tables -A FORWARD -i lo -j ACCEPT
# DHCP
iptables -A FORWARD -i $IFACE -p udp --dport 67 -j ACCEPT
# Deny by default
iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT
fi

10
salt/firewall/priv-stateful.sls Normal file
View File

@ -0,0 +1,10 @@
iptables:
pkg.installed: []
/etc/network/if-pre-up.d/firewall:
file.managed:
- source: salt://firewall/priv-stateful.sh
- template: 'jinja'
- mode: 744
- require:
- pkg: iptables

2
salt/top.sls
View File

@ -12,6 +12,8 @@ base:
- forwarding
- bird
- dhcp
'priv13-gw':
- firewall.priv-stateful
'pub-gw or serv-gw':
- no-ssh
- forwarding