add firewall.priv-stateful for priv13-gw
This commit is contained in:
parent
d278669f64
commit
b75dc44dcf
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
export PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
if [ echo "$IFACE" | grep priv >/dev/null ]; then
|
||||||
|
iptables -F FORWARD
|
||||||
|
ip6tables -F FORWARD
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
ip6tables -P FORWARD DROP
|
||||||
|
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
# loopback
|
||||||
|
iptables -A FORWARD -i lo -j ACCEPT
|
||||||
|
ip6tables -A FORWARD -i lo -j ACCEPT
|
||||||
|
# DHCP
|
||||||
|
iptables -A FORWARD -i $IFACE -p udp --dport 67 -j ACCEPT
|
||||||
|
# Deny by default
|
||||||
|
iptables -A FORWARD -j REJECT
|
||||||
|
ip6tables -A FORWARD -j REJECT
|
||||||
|
fi
|
|
@ -0,0 +1,10 @@
|
||||||
|
iptables:
|
||||||
|
pkg.installed: []
|
||||||
|
|
||||||
|
/etc/network/if-pre-up.d/firewall:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://firewall/priv-stateful.sh
|
||||||
|
- template: 'jinja'
|
||||||
|
- mode: 744
|
||||||
|
- require:
|
||||||
|
- pkg: iptables
|
|
@ -12,6 +12,8 @@ base:
|
||||||
- forwarding
|
- forwarding
|
||||||
- bird
|
- bird
|
||||||
- dhcp
|
- dhcp
|
||||||
|
'priv13-gw':
|
||||||
|
- firewall.priv-stateful
|
||||||
'pub-gw or serv-gw':
|
'pub-gw or serv-gw':
|
||||||
- no-ssh
|
- no-ssh
|
||||||
- forwarding
|
- forwarding
|
||||||
|
|
Loading…
Reference in New Issue