Initial Commit
This commit is contained in:
James Oakley
commit
92aa3546aa
71
40_customfirewall
Normal file
71
40_customfirewall
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# 40_customfirewall - Custom firewall
|
||||||
|
#
|
||||||
|
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
|
||||||
|
NAME="40_customfirewall"
|
||||||
|
|
||||||
|
test -f /etc/default/customfirewall || { exit 0; }
|
||||||
|
|
||||||
|
source /etc/default/customfirewall
|
||||||
|
|
||||||
|
|
||||||
|
function start() {
|
||||||
|
log_progress_msg $NAME
|
||||||
|
|
||||||
|
iptables -t nat -N customfirewall_prerouting
|
||||||
|
iptables -t nat -I PREROUTING -j customfirewall_prerouting
|
||||||
|
|
||||||
|
for address_def in $ADDRESSES ; do
|
||||||
|
IFS=, read -r interface ip <<< "$address_def"
|
||||||
|
ip addr add $ip dev $interface
|
||||||
|
done
|
||||||
|
|
||||||
|
for rule_def in $FORWARDS ; do
|
||||||
|
IFS=, read -r ip proto port destination <<< "$rule_def"
|
||||||
|
iptables -t nat -A customfirewall_prerouting -d $ip -p $proto --dport $port -j DNAT --to-destination $destination
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function stop() {
|
||||||
|
log_progress_msg $NAME
|
||||||
|
|
||||||
|
for address_def in $ADDRESSES ; do
|
||||||
|
IFS=, read -r interface ip <<< "$address_def"
|
||||||
|
ip addr del $ip dev $interface
|
||||||
|
done
|
||||||
|
|
||||||
|
iptables -t nat -D PREROUTING -j customfirewall_prerouting
|
||||||
|
iptables -t nat -F customfirewall_prerouting
|
||||||
|
iptables -t nat -X customfirewall_prerouting
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function status() {
|
||||||
|
iptables -t nat -nvL customfirewall_prerouting
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
test -f /lib/lsb/init-functions && . /lib/lsb/init-functions
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
start
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
stop
|
||||||
|
;;
|
||||||
|
restart|force-reload)
|
||||||
|
stop
|
||||||
|
start
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Usage: $0 {start|stop|restart|force-reload|status}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
12
Makefile
Normal file
12
Makefile
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
|
||||||
|
STATEDIR = /etc/bondingadmin/salt-config/states/customfirewall
|
||||||
|
PILLARDIR = /etc/bondingadmin/salt-config/pillars/customfirewall
|
||||||
|
|
||||||
|
all:
|
||||||
|
|
||||||
|
install:
|
||||||
|
install -d -m 0755 $(DESTDIR)$(STATEDIR)
|
||||||
|
install -m 0644 40_customfirewall $(DESTDIR)$(STATEDIR)/40_customfirewall
|
||||||
|
install -m 0644 customfirewall $(DESTDIR)$(STATEDIR)/customfirewall
|
||||||
|
install -m 0644 init.sls $(DESTDIR)$(STATEDIR)/init.sls
|
||||||
|
install -d -m 0755 $(DESTDIR)$(PILLARDIR)
|
||||||
64
README
Normal file
64
README
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
===============
|
||||||
|
Custom firewall
|
||||||
|
===============
|
||||||
|
|
||||||
|
This is a custom firewall for bonds that is deployed via salt. It is only used
|
||||||
|
to add port forwarding rules at the moment.
|
||||||
|
|
||||||
|
|
||||||
|
Installing
|
||||||
|
==========
|
||||||
|
|
||||||
|
Run this on bondingadmin::
|
||||||
|
|
||||||
|
make install
|
||||||
|
|
||||||
|
|
||||||
|
Adding a node
|
||||||
|
=============
|
||||||
|
|
||||||
|
First, create the pillar file for the node with the rules. For example, for
|
||||||
|
node 42::
|
||||||
|
|
||||||
|
vi /etc/bondingadmin/salt-config/pillars/customfirewall/node-42.sls
|
||||||
|
|
||||||
|
The file contents will contain the definitions of the rules and any needed
|
||||||
|
additional addresses. For example to set up 2 forward rules and 2 additional
|
||||||
|
IP addresses::
|
||||||
|
|
||||||
|
customfirewall:
|
||||||
|
forwards:
|
||||||
|
- ip: 192.168.4.7
|
||||||
|
protocol: tcp
|
||||||
|
port: 80
|
||||||
|
destination: 10.1.2.3
|
||||||
|
- ip: 172.18.27.2
|
||||||
|
protocol: udp
|
||||||
|
port: 53
|
||||||
|
destination: 10.2.3.4
|
||||||
|
addresses:
|
||||||
|
- interface: eth1
|
||||||
|
ip: 192.168.4.7/24
|
||||||
|
- interface: eth1
|
||||||
|
ip: 172.18.27.2/24
|
||||||
|
|
||||||
|
If you do not need any addresses, simply don't define the addresses section.
|
||||||
|
|
||||||
|
Next, match the pillar to the node in the pillar top file::
|
||||||
|
|
||||||
|
vi /etc/bondingadmin/salt-config/pillars/top.sls
|
||||||
|
|
||||||
|
Make sure the definition is under the base pillar like this::
|
||||||
|
|
||||||
|
base:
|
||||||
|
'node-42':
|
||||||
|
- customfirewall.node-42
|
||||||
|
|
||||||
|
Finally add the state for the node in the state top file::
|
||||||
|
|
||||||
|
vi /etc/bondingadmin/salt-config/states/top.sls
|
||||||
|
|
||||||
|
Make sure the definition is under the partner root::
|
||||||
|
partner:
|
||||||
|
'node-42':
|
||||||
|
- customfirewall
|
||||||
6
customfirewall
Normal file
6
customfirewall
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
{% if pillar['customfirewall']['addresses'] %}
|
||||||
|
ADDRESSES='{% for address in pillar['customfirewall']['addresses'] %}{{ address['interface'] }},{{ address['ip'] }} {% endfor %}'
|
||||||
|
{% endif %}
|
||||||
|
{% if pillar['customfirewall']['forwards'] %}
|
||||||
|
FORWARDS='{% for forward in pillar['customfirewall']['forwards'] %}{{ forward['ip'] }},{{ forward['protocol'] }},{{ forward['port'] }},{{ forward['destination'] }} {% endfor %}'
|
||||||
|
{% endif %}
|
||||||
Loading…
x
Reference in New Issue
Block a user