Initial Commit
This commit is contained in:
James Oakley
commit
92aa3546aa
71
40_customfirewall
Normal file
71
40_customfirewall
Normal file
@ -0,0 +1,71 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# 40_customfirewall - Custom firewall
|
||||
#
|
||||
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
|
||||
NAME="40_customfirewall"
|
||||
|
||||
test -f /etc/default/customfirewall || { exit 0; }
|
||||
|
||||
source /etc/default/customfirewall
|
||||
|
||||
|
||||
function start() {
|
||||
log_progress_msg $NAME
|
||||
|
||||
iptables -t nat -N customfirewall_prerouting
|
||||
iptables -t nat -I PREROUTING -j customfirewall_prerouting
|
||||
|
||||
for address_def in $ADDRESSES ; do
|
||||
IFS=, read -r interface ip <<< "$address_def"
|
||||
ip addr add $ip dev $interface
|
||||
done
|
||||
|
||||
for rule_def in $FORWARDS ; do
|
||||
IFS=, read -r ip proto port destination <<< "$rule_def"
|
||||
iptables -t nat -A customfirewall_prerouting -d $ip -p $proto --dport $port -j DNAT --to-destination $destination
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
function stop() {
|
||||
log_progress_msg $NAME
|
||||
|
||||
for address_def in $ADDRESSES ; do
|
||||
IFS=, read -r interface ip <<< "$address_def"
|
||||
ip addr del $ip dev $interface
|
||||
done
|
||||
|
||||
iptables -t nat -D PREROUTING -j customfirewall_prerouting
|
||||
iptables -t nat -F customfirewall_prerouting
|
||||
iptables -t nat -X customfirewall_prerouting
|
||||
}
|
||||
|
||||
|
||||
function status() {
|
||||
iptables -t nat -nvL customfirewall_prerouting
|
||||
}
|
||||
|
||||
|
||||
test -f /lib/lsb/init-functions && . /lib/lsb/init-functions
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
restart|force-reload)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
status)
|
||||
status
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|force-reload|status}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
12
Makefile
Normal file
12
Makefile
Normal file
@ -0,0 +1,12 @@
|
||||
|
||||
STATEDIR = /etc/bondingadmin/salt-config/states/customfirewall
|
||||
PILLARDIR = /etc/bondingadmin/salt-config/pillars/customfirewall
|
||||
|
||||
all:
|
||||
|
||||
install:
|
||||
install -d -m 0755 $(DESTDIR)$(STATEDIR)
|
||||
install -m 0644 40_customfirewall $(DESTDIR)$(STATEDIR)/40_customfirewall
|
||||
install -m 0644 customfirewall $(DESTDIR)$(STATEDIR)/customfirewall
|
||||
install -m 0644 init.sls $(DESTDIR)$(STATEDIR)/init.sls
|
||||
install -d -m 0755 $(DESTDIR)$(PILLARDIR)
|
||||
64
README
Normal file
64
README
Normal file
@ -0,0 +1,64 @@
|
||||
===============
|
||||
Custom firewall
|
||||
===============
|
||||
|
||||
This is a custom firewall for bonds that is deployed via salt. It is only used
|
||||
to add port forwarding rules at the moment.
|
||||
|
||||
|
||||
Installing
|
||||
==========
|
||||
|
||||
Run this on bondingadmin::
|
||||
|
||||
make install
|
||||
|
||||
|
||||
Adding a node
|
||||
=============
|
||||
|
||||
First, create the pillar file for the node with the rules. For example, for
|
||||
node 42::
|
||||
|
||||
vi /etc/bondingadmin/salt-config/pillars/customfirewall/node-42.sls
|
||||
|
||||
The file contents will contain the definitions of the rules and any needed
|
||||
additional addresses. For example to set up 2 forward rules and 2 additional
|
||||
IP addresses::
|
||||
|
||||
customfirewall:
|
||||
forwards:
|
||||
- ip: 192.168.4.7
|
||||
protocol: tcp
|
||||
port: 80
|
||||
destination: 10.1.2.3
|
||||
- ip: 172.18.27.2
|
||||
protocol: udp
|
||||
port: 53
|
||||
destination: 10.2.3.4
|
||||
addresses:
|
||||
- interface: eth1
|
||||
ip: 192.168.4.7/24
|
||||
- interface: eth1
|
||||
ip: 172.18.27.2/24
|
||||
|
||||
If you do not need any addresses, simply don't define the addresses section.
|
||||
|
||||
Next, match the pillar to the node in the pillar top file::
|
||||
|
||||
vi /etc/bondingadmin/salt-config/pillars/top.sls
|
||||
|
||||
Make sure the definition is under the base pillar like this::
|
||||
|
||||
base:
|
||||
'node-42':
|
||||
- customfirewall.node-42
|
||||
|
||||
Finally add the state for the node in the state top file::
|
||||
|
||||
vi /etc/bondingadmin/salt-config/states/top.sls
|
||||
|
||||
Make sure the definition is under the partner root::
|
||||
partner:
|
||||
'node-42':
|
||||
- customfirewall
|
||||
6
customfirewall
Normal file
6
customfirewall
Normal file
@ -0,0 +1,6 @@
|
||||
{% if pillar['customfirewall']['addresses'] %}
|
||||
ADDRESSES='{% for address in pillar['customfirewall']['addresses'] %}{{ address['interface'] }},{{ address['ip'] }} {% endfor %}'
|
||||
{% endif %}
|
||||
{% if pillar['customfirewall']['forwards'] %}
|
||||
FORWARDS='{% for forward in pillar['customfirewall']['forwards'] %}{{ forward['ip'] }},{{ forward['protocol'] }},{{ forward['port'] }},{{ forward['destination'] }} {% endfor %}'
|
||||
{% endif %}
|
||||
Loading…
x
Reference in New Issue
Block a user