diff options
| -rw-r--r-- | manifests/subsystems/firewall.pp | 303 | ||||
| -rw-r--r-- | manifests/vserver.pp | 261 |
2 files changed, 325 insertions, 239 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp index e05a2a6..1fb216c 100644 --- a/manifests/subsystems/firewall.pp +++ b/manifests/subsystems/firewall.pp @@ -344,3 +344,306 @@ class firewall::torrent { order => "201", } } + +class firewall::router::http($destination) { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => '600', + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$ipaddress", + ratelimit => '-', + order => '601', + } +} + +class firewall::router::https($destination) { + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "vm:$destination:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => '602', + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$ipaddress", + ratelimit => '-', + order => '602', + } +} + +class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141') { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + ratelimit => '-', + order => '700', + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + ratelimit => '-', + order => '701', + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:$puppetmaster_port", + proto => 'tcp', + destinationport => "$puppetmaster_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '702', + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:$puppetmaster_port", + proto => 'udp', + destinationport => "$puppetmaster_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '703', + } + + shorewall::rule { 'puppetmaster-5': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + ratelimit => '-', + order => '704', + } + + shorewall::rule { 'puppetmaster-6': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + ratelimit => '-', + order => '705', + } + + shorewall::rule { 'puppetmaster-7': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:$puppetmaster_nonssl_port", + proto => 'tcp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '706', + } + + shorewall::rule { 'puppetmaster-8': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:$puppetmaster_nonssl_port", + proto => 'udp', + destinationport => "$puppetmaster_nonssl_port", + originaldest => "$ipaddress", + ratelimit => '-', + order => '707', + } +} + +class firewall::router::gitd($destination) { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '800', + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$ipaddress", + ratelimit => '-', + order => '801', + } +} + +class firewall::router::icecast($destination) { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => '900', + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$ipaddress", + ratelimit => '-', + order => '901', + } +} + +class firewall::router::mail($destination) { + shorewall::rule { 'mail-1': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:25", + proto => 'tcp', + destinationport => '25', + ratelimit => '-', + order => '1000', + } + + shorewall::rule { 'mail-2': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:25", + proto => 'tcp', + destinationport => '25', + originaldest => "$ipaddress", + ratelimit => '-', + order => '1001', + } + + shorewall::rule { 'mail-3': + action => 'DNAT', + source => 'net', + destination => "fw:$destination:993", + proto => 'tcp', + destinationport => '993', + ratelimit => '-', + order => '1002', + } + + shorewall::rule { 'mail-4': + action => 'DNAT', + source => '$FW', + destination => "fw:$destination:993", + proto => 'tcp', + destinationport => '993', + originaldest => "$ipaddress", + ratelimit => '-', + order => '1003', + } +} + +define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '') { + shorewall::rule { "ssh-$port_orig-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "vm:$destination", + default => "vm:$destination:$port_dest", + } + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "2$port_orig", + } + + shorewall::rule { "ssh-$port_orig-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + } + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$ipaddress", + ratelimit => '-', + order => "2$port_orig", + } +} + +define firewall::router::munin($destination, $port_orig, $port_dest = '') { + shorewall::rule { "munin-$port_orig-1": + action => 'DNAT', + source => 'net', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + } + proto => 'tcp', + destinationport => "$port_orig", + ratelimit => '-', + order => "4$id", + } + + shorewall::rule { "munin-$port_orig-2": + action => 'DNAT', + source => '$FW', + destination => $port_dest ? { + '' => "fw:$destination", + default => "fw:$destination:$port_dest", + } + proto => 'tcp', + destinationport => "$port_orig", + originaldest => "$ipaddress", + ratelimit => '-', + order => "5$id", + } +} + +class firewall::router::torrent($destination) { + shorewall::rule { "torrent-tcp": + action => 'ACCEPT', + source => 'net', + destination => "fw:$destination", + proto => 'tcp', + destinationport => "6881:6999", + ratelimit => '-', + order => "200", + } + + shorewall::rule { "torrent-udp": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + destination => "fw:$destination", + proto => 'udp', + destinationport => "6881:6999", + ratelimit => '-', + order => "201", + } +} diff --git a/manifests/vserver.pp b/manifests/vserver.pp index da37e6a..1e48475 100644 --- a/manifests/vserver.pp +++ b/manifests/vserver.pp @@ -110,266 +110,49 @@ class nodo::vserver inherits nodo { # Apply firewall rules just for running vservers case $ensure { 'running': { - - shorewall::rule { "ssh-$context-1": - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:22", - proto => 'tcp', - destinationport => "22$id", - ratelimit => '-', - order => "2$id", - } - - shorewall::rule { "ssh-$context-2": - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:22", - proto => 'tcp', - destinationport => "22$id", - originaldest => "$ipaddress", - ratelimit => '-', - order => "3$id", - } - - shorewall::rule { "munin-$context-1": - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:49$id", - proto => 'tcp', - destinationport => "49$id", - ratelimit => '-', - order => "4$id", + firewall::router::ssh { "ssh": + destination => "192.168.0.$context", + port_orig => "22", + port_dest => "22$id", } - shorewall::rule { "munin-$context-2": - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:49$id", - proto => 'tcp', - destinationport => "49$id", - originaldest => "$ipaddress", - ratelimit => '-', - order => "5$id", + firewall::router::munin { "munin": + destination => "192.168.0.$context", + port_orig => "49$id", + port_dest => "49$id", } if $proxy { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => '600', - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$ipaddress", - ratelimit => '-', - order => '601', - } - - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:443", - proto => 'tcp', - destinationport => '443', - ratelimit => '-', - order => '602', - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$ipaddress", - ratelimit => '-', - order => '602', + class { + "firewall::router::http": destination => "192.168.0.$context"; + "firewall::router::https": destination => "192.168.0.$context"; } } if $puppetmaster { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - ratelimit => '-', - order => '700', - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - ratelimit => '-', - order => '701', - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '702', - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '703', - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => '704', - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => '705', - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '706', - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => '707', + class { + "firewall::router::puppetmaster": + destination => "192.168.0.$context", + puppetmaster_port => $puppetmaster_port, + puppetmaster_nonssl_port => $puppetmaster_nonssl_port, } } if $gitd { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => '800', - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$ipaddress", - ratelimit => '-', - order => '801', + class { + "firewall::router::gitd": destination => "192.168.0.$context"; } } if $icecast { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => '900', - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$ipaddress", - ratelimit => '-', - order => '901', + class { + "firewall::router::icecast": destination => "192.168.0.$context"; } } if $mail { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:25", - proto => 'tcp', - destinationport => '25', - ratelimit => '-', - order => '1000', - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$ipaddress", - ratelimit => '-', - order => '1001', - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:993", - proto => 'tcp', - destinationport => '993', - ratelimit => '-', - order => '1002', - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$ipaddress", - ratelimit => '-', - order => '1003', + class { + "firewall::router::mail": destination => "192.168.0.$context"; } } } |