aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/subsystems/firewall.pp303
-rw-r--r--manifests/vserver.pp261
2 files changed, 325 insertions, 239 deletions
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index e05a2a6..1fb216c 100644
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -344,3 +344,306 @@ class firewall::torrent {
order => "201",
}
}
+
+class firewall::router::http($destination) {
+ shorewall::rule { 'http-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => '600',
+ }
+
+ shorewall::rule { 'http-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '601',
+ }
+}
+
+class firewall::router::https($destination) {
+ shorewall::rule { 'https-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => '-',
+ order => '602',
+ }
+
+ shorewall::rule { 'https-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '602',
+ }
+}
+
+class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141') {
+ shorewall::rule { 'puppetmaster-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ ratelimit => '-',
+ order => '700',
+ }
+
+ shorewall::rule { 'puppetmaster-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ ratelimit => '-',
+ order => '701',
+ }
+
+ shorewall::rule { 'puppetmaster-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:$puppetmaster_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '702',
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:$puppetmaster_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '703',
+ }
+
+ shorewall::rule { 'puppetmaster-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ ratelimit => '-',
+ order => '704',
+ }
+
+ shorewall::rule { 'puppetmaster-6':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ ratelimit => '-',
+ order => '705',
+ }
+
+ shorewall::rule { 'puppetmaster-7':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:$puppetmaster_nonssl_port",
+ proto => 'tcp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '706',
+ }
+
+ shorewall::rule { 'puppetmaster-8':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:$puppetmaster_nonssl_port",
+ proto => 'udp',
+ destinationport => "$puppetmaster_nonssl_port",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '707',
+ }
+}
+
+class firewall::router::gitd($destination) {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => '800',
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '801',
+ }
+}
+
+class firewall::router::icecast($destination) {
+ shorewall::rule { 'icecast-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ ratelimit => '-',
+ order => '900',
+ }
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '901',
+ }
+}
+
+class firewall::router::mail($destination) {
+ shorewall::rule { 'mail-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ ratelimit => '-',
+ order => '1000',
+ }
+
+ shorewall::rule { 'mail-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:25",
+ proto => 'tcp',
+ destinationport => '25',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '1001',
+ }
+
+ shorewall::rule { 'mail-3':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ ratelimit => '-',
+ order => '1002',
+ }
+
+ shorewall::rule { 'mail-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:$destination:993",
+ proto => 'tcp',
+ destinationport => '993',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '1003',
+ }
+}
+
+define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '') {
+ shorewall::rule { "ssh-$port_orig-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "vm:$destination",
+ default => "vm:$destination:$port_dest",
+ }
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+
+ shorewall::rule { "ssh-$port_orig-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "fw:$destination",
+ default => "fw:$destination:$port_dest",
+ }
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => "2$port_orig",
+ }
+}
+
+define firewall::router::munin($destination, $port_orig, $port_dest = '') {
+ shorewall::rule { "munin-$port_orig-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => $port_dest ? {
+ '' => "fw:$destination",
+ default => "fw:$destination:$port_dest",
+ }
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ ratelimit => '-',
+ order => "4$id",
+ }
+
+ shorewall::rule { "munin-$port_orig-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => $port_dest ? {
+ '' => "fw:$destination",
+ default => "fw:$destination:$port_dest",
+ }
+ proto => 'tcp',
+ destinationport => "$port_orig",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => "5$id",
+ }
+}
+
+class firewall::router::torrent($destination) {
+ shorewall::rule { "torrent-tcp":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => "fw:$destination",
+ proto => 'tcp',
+ destinationport => "6881:6999",
+ ratelimit => '-',
+ order => "200",
+ }
+
+ shorewall::rule { "torrent-udp":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ destination => "fw:$destination",
+ proto => 'udp',
+ destinationport => "6881:6999",
+ ratelimit => '-',
+ order => "201",
+ }
+}
diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index da37e6a..1e48475 100644
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -110,266 +110,49 @@ class nodo::vserver inherits nodo {
# Apply firewall rules just for running vservers
case $ensure {
'running': {
-
- shorewall::rule { "ssh-$context-1":
- action => 'DNAT',
- source => 'net',
- destination => "vm:192.168.0.$context:22",
- proto => 'tcp',
- destinationport => "22$id",
- ratelimit => '-',
- order => "2$id",
- }
-
- shorewall::rule { "ssh-$context-2":
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:22",
- proto => 'tcp',
- destinationport => "22$id",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "3$id",
- }
-
- shorewall::rule { "munin-$context-1":
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:49$id",
- proto => 'tcp',
- destinationport => "49$id",
- ratelimit => '-',
- order => "4$id",
+ firewall::router::ssh { "ssh":
+ destination => "192.168.0.$context",
+ port_orig => "22",
+ port_dest => "22$id",
}
- shorewall::rule { "munin-$context-2":
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:49$id",
- proto => 'tcp',
- destinationport => "49$id",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "5$id",
+ firewall::router::munin { "munin":
+ destination => "192.168.0.$context",
+ port_orig => "49$id",
+ port_dest => "49$id",
}
if $proxy {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "vm:192.168.0.$context:80",
- proto => 'tcp',
- destinationport => '80',
- ratelimit => '-',
- order => '600',
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '601',
- }
-
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "vm:192.168.0.$context:443",
- proto => 'tcp',
- destinationport => '443',
- ratelimit => '-',
- order => '602',
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '602',
+ class {
+ "firewall::router::http": destination => "192.168.0.$context";
+ "firewall::router::https": destination => "192.168.0.$context";
}
}
if $puppetmaster {
- shorewall::rule { 'puppetmaster-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- ratelimit => '-',
- order => '700',
- }
-
- shorewall::rule { 'puppetmaster-2':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- ratelimit => '-',
- order => '701',
- }
-
- shorewall::rule { 'puppetmaster-3':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:$puppetmaster_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '702',
- }
-
- shorewall::rule { 'puppetmaster-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:$puppetmaster_port",
- proto => 'udp',
- destinationport => "$puppetmaster_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '703',
- }
-
- shorewall::rule { 'puppetmaster-5':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => '704',
- }
-
- shorewall::rule { 'puppetmaster-6':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- ratelimit => '-',
- order => '705',
- }
-
- shorewall::rule { 'puppetmaster-7':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port",
- proto => 'tcp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '706',
- }
-
- shorewall::rule { 'puppetmaster-8':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:$puppetmaster_nonssl_port",
- proto => 'udp',
- destinationport => "$puppetmaster_nonssl_port",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '707',
+ class {
+ "firewall::router::puppetmaster":
+ destination => "192.168.0.$context",
+ puppetmaster_port => $puppetmaster_port,
+ puppetmaster_nonssl_port => $puppetmaster_nonssl_port,
}
}
if $gitd {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:9418",
- proto => 'tcp',
- destinationport => '9418',
- ratelimit => '-',
- order => '800',
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '801',
+ class {
+ "firewall::router::gitd": destination => "192.168.0.$context";
}
}
if $icecast {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => '900',
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '901',
+ class {
+ "firewall::router::icecast": destination => "192.168.0.$context";
}
}
if $mail {
- shorewall::rule { 'mail-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:25",
- proto => 'tcp',
- destinationport => '25',
- ratelimit => '-',
- order => '1000',
- }
-
- shorewall::rule { 'mail-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:25",
- proto => 'tcp',
- destinationport => '25',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '1001',
- }
-
- shorewall::rule { 'mail-3':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:993",
- proto => 'tcp',
- destinationport => '993',
- ratelimit => '-',
- order => '1002',
- }
-
- shorewall::rule { 'mail-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:993",
- proto => 'tcp',
- destinationport => '993',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '1003',
+ class {
+ "firewall::router::mail": destination => "192.168.0.$context";
}
}
}