Revert "apply mgmt-gw's firewall via lxc-hook"

This reverts commit 2f202d7b2f. The referenced mgmt-gw.sh gets provisioned inside the container so it does not make sense to call it on the host.
2017-12-11 00:36:10 +01:00 · 2017-12-11 00:36:10 +01:00 · d9d6c8cff0
parent ee9c83536a
commit d9d6c8cff0
2 changed files with 25 additions and 28 deletions
--- a/salt/firewall/mgmt-gw.sh
+++ b/salt/firewall/mgmt-gw.sh
@ -2,27 +2,28 @@

 export PATH=/sbin:/bin:/usr/sbin:/usr/bin

-IFACE=mgmt
-iptables -F FORWARD
-ip6tables -F FORWARD
-iptables -P FORWARD DROP
-ip6tables -P FORWARD DROP
-iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
-ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
-# DNS
-iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
-# NTP
-iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
-# collectd
-iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
-# downloads.lede-project.org
-iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
-# radius.hq.c3d2.de
-iptables -A FORWARD -i $IFACE --dest 172.22.99.22 -j ACCEPT
-# Deny by default
-iptables -A FORWARD -j REJECT
-ip6tables -A FORWARD -j REJECT
+if [ "$IFACE" = "{{ interface }}" ]; then
+    iptables -F FORWARD
+    ip6tables -F FORWARD
+    iptables -P FORWARD DROP
+    ip6tables -P FORWARD DROP
+    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    # DNS
+    iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+    # NTP
+    iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+    # collectd
+    iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+    # downloads.lede-project.org
+    iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
+    # radius.hq.c3d2.de
+    iptables -A FORWARD -i $IFACE --dest 172.22.99.22 -j ACCEPT
+    # Deny by default
+    iptables -A FORWARD -j REJECT
+    ip6tables -A FORWARD -j REJECT
+fi
--- a/salt/lxc-containers/config
+++ b/salt/lxc-containers/config
@ -55,10 +55,6 @@ lxc.network.name={{ net }}
 {%- set n = n + 1 %}
 {%- endfor %}

-{%- if id == 'mgmt-gw' %}
-lxc.network.script.up=/etc/network/if-pre-up.d/firewall
-{%- endif %}
-

 lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod