From 92aa3546aada0ae6c76a0620c9bb02c37d801c1b Mon Sep 17 00:00:00 2001
From: James Oakley <james.oakley@multapplied.net>
Date: Fri, 22 Mar 2019 14:54:25 -0700
Subject: [PATCH] Initial Commit

---
 40_customfirewall | 71 +++++++++++++++++++++++++++++++++++++++++++++++
 Makefile          | 12 ++++++++
 README            | 64 ++++++++++++++++++++++++++++++++++++++++++
 customfirewall    |  6 ++++
 init.sls          | 10 +++++++
 5 files changed, 163 insertions(+)
 create mode 100644 40_customfirewall
 create mode 100644 Makefile
 create mode 100644 README
 create mode 100644 customfirewall
 create mode 100644 init.sls

diff --git a/40_customfirewall b/40_customfirewall
new file mode 100644
index 0000000..b9cc693
--- /dev/null
+++ b/40_customfirewall
@@ -0,0 +1,71 @@
+#!/bin/bash
+#
+# 40_customfirewall - Custom firewall
+#
+PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+NAME="40_customfirewall"
+
+test -f /etc/default/customfirewall || { exit 0; }
+
+source /etc/default/customfirewall
+
+
+function start() {
+    log_progress_msg $NAME
+
+    iptables -t nat -N customfirewall_prerouting
+    iptables -t nat -I PREROUTING -j customfirewall_prerouting
+
+    for address_def in $ADDRESSES ; do
+        IFS=, read -r interface ip <<< "$address_def"
+        ip addr add $ip dev $interface
+    done
+
+    for rule_def in $FORWARDS ; do
+        IFS=, read -r ip proto port destination <<< "$rule_def"
+        iptables -t nat -A customfirewall_prerouting -d $ip -p $proto --dport $port -j DNAT --to-destination $destination
+    done
+}
+
+
+function stop() {
+    log_progress_msg $NAME
+
+    for address_def in $ADDRESSES ; do
+        IFS=, read -r interface ip <<< "$address_def"
+        ip addr del $ip dev $interface
+    done
+
+    iptables -t nat -D PREROUTING -j customfirewall_prerouting
+    iptables -t nat -F customfirewall_prerouting
+    iptables -t nat -X customfirewall_prerouting
+}
+
+
+function status() {
+    iptables -t nat -nvL customfirewall_prerouting
+}
+
+
+test -f /lib/lsb/init-functions && . /lib/lsb/init-functions
+
+case "$1" in
+    start)
+        start
+        ;;
+    stop)
+        stop
+        ;;
+    restart|force-reload)
+        stop
+        start
+        ;;
+    status)
+        status
+        exit 0
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}"
+        exit 1
+        ;;
+esac
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..284442f
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,12 @@
+
+STATEDIR = /etc/bondingadmin/salt-config/states/customfirewall
+PILLARDIR = /etc/bondingadmin/salt-config/pillars/customfirewall
+
+all:
+
+install:
+	install -d -m 0755 $(DESTDIR)$(STATEDIR)
+	install -m 0644 40_customfirewall $(DESTDIR)$(STATEDIR)/40_customfirewall
+	install -m 0644 customfirewall $(DESTDIR)$(STATEDIR)/customfirewall
+	install -m 0644 init.sls $(DESTDIR)$(STATEDIR)/init.sls
+	install -d -m 0755 $(DESTDIR)$(PILLARDIR)
diff --git a/README b/README
new file mode 100644
index 0000000..7eabdd5
--- /dev/null
+++ b/README
@@ -0,0 +1,64 @@
+===============
+Custom firewall
+===============
+
+This is a custom firewall for bonds that is deployed via salt. It is only used
+to add port forwarding rules at the moment.
+
+
+Installing
+==========
+
+Run this on bondingadmin::
+
+    make install
+
+
+Adding a node
+=============
+
+First, create the pillar file for the node with the rules. For example, for
+node 42::
+
+    vi /etc/bondingadmin/salt-config/pillars/customfirewall/node-42.sls
+
+The file contents will contain the definitions of the rules and any needed
+additional addresses. For example to set up 2 forward rules and 2 additional
+IP addresses::
+
+    customfirewall:
+      forwards:
+        - ip: 192.168.4.7
+          protocol: tcp
+          port: 80
+          destination: 10.1.2.3
+        - ip: 172.18.27.2
+          protocol: udp
+          port: 53
+          destination: 10.2.3.4
+      addresses:
+        - interface: eth1
+          ip: 192.168.4.7/24
+        - interface: eth1
+          ip: 172.18.27.2/24
+
+If you do not need any addresses, simply don't define the addresses section.
+
+Next, match the pillar to the node in the pillar top file::
+
+    vi /etc/bondingadmin/salt-config/pillars/top.sls
+
+Make sure the definition is under the base pillar like this::
+
+    base:
+      'node-42':
+        - customfirewall.node-42
+
+Finally add the state for the node in the state top file::
+
+    vi /etc/bondingadmin/salt-config/states/top.sls
+
+Make sure the definition is under the partner root::
+  partner:
+    'node-42':
+      - customfirewall
diff --git a/customfirewall b/customfirewall
new file mode 100644
index 0000000..7c1a840
--- /dev/null
+++ b/customfirewall
@@ -0,0 +1,6 @@
+{% if pillar['customfirewall']['addresses'] %}
+ADDRESSES='{% for address in pillar['customfirewall']['addresses'] %}{{ address['interface'] }},{{ address['ip'] }} {% endfor %}'
+{% endif %}
+{% if pillar['customfirewall']['forwards'] %}
+FORWARDS='{% for forward in pillar['customfirewall']['forwards'] %}{{ forward['ip'] }},{{ forward['protocol'] }},{{ forward['port'] }},{{ forward['destination'] }} {% endfor %}'
+{% endif %}
diff --git a/init.sls b/init.sls
new file mode 100644
index 0000000..54721b7
--- /dev/null
+++ b/init.sls
@@ -0,0 +1,10 @@
+/etc/default/customfirewall:
+  file.managed:
+    - source: salt://{{ tpldir }}/customfirewall
+    - mode: 0644
+    - template: jinja
+
+/etc/firewall.d/40_customfirewall:
+  file.managed:
+    - source: salt://{{ tpldir }}/40_customfirewall
+    - mode: 0755