diff options
Diffstat (limited to 'manifests/subsystems')
-rw-r--r-- | manifests/subsystems/firewall/router.pp | 183 | ||||
-rw-r--r-- | manifests/subsystems/firewall/vserver.pp | 2 |
2 files changed, 163 insertions, 22 deletions
diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp index 9384849..3a22f41 100644 --- a/manifests/subsystems/firewall/router.pp +++ b/manifests/subsystems/firewall/router.pp @@ -1,4 +1,5 @@ -class firewall::router::http($destination, $zone = 'loc') { +class firewall::router::http($destination, $zone = 'loc', $routeback = false, $routeback_dest = '', + $routeback_external_ip = '', $routeback_iface = 'eth1') { shorewall::rule { 'http-route': action => 'DNAT', source => 'all', @@ -8,9 +9,18 @@ class firewall::router::http($destination, $zone = 'loc') { ratelimit => '-', order => '600', } + + if $routeback { + firewall::router::hairpinning { 'http-route': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + } + } } -class firewall::router::https($destination, $zone = 'loc') { +class firewall::router::https($destination, $zone = 'loc', $routeback = false, $routeback_dest = '', + $routeback_external_ip = '', $routeback_iface = 'eth1') { shorewall::rule { 'https-route': action => 'DNAT', source => 'all', @@ -20,9 +30,22 @@ class firewall::router::https($destination, $zone = 'loc') { ratelimit => '-', order => '602', } + + if $routeback { + firewall::router::hairpinning { 'https-route': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => '443', + } + } } -class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'loc') { +class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', + $puppetmaster_nonssl_port = '8141', $zone = 'loc', $routeback = false, + $routeback_dest = '', $routeback_external_ip = '', + $routeback_iface = 'eth1') { shorewall::rule { 'puppetmaster-1': action => 'DNAT', source => 'all', @@ -62,9 +85,44 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', ratelimit => '-', order => '705', } + + if $routeback { + firewall::router::hairpinning { 'puppetmaster-1': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => $puppetmaster_port, + } + + firewall::router::hairpinning { 'puppetmaster-2': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'udp', + port => $puppetmaster_port, + } + + firewall::router::hairpinning { 'puppetmaster-3': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => $puppetmaster_nonssl_port, + } + + firewall::router::hairpinning { 'puppetmaster-4': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'udp', + port => $puppetmaster_nonssl_port, + } + } } -class firewall::router::gitd($destination, $zone = 'loc') { +class firewall::router::gitd($destination, $zone = 'loc', $routeback = false, $routeback_dest = '', + $routeback_external_ip = '', $routeback_iface = 'eth1') { shorewall::rule { 'git-daemon': action => 'DNAT', source => 'net', @@ -74,12 +132,23 @@ class firewall::router::gitd($destination, $zone = 'loc') { ratelimit => '-', order => '800', } + + if $routeback { + firewall::router::hairpinning { 'git-daemon': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => '9418', + } + } } -class firewall::router::icecast($destination, $zone = 'loc') { - shorewall::rule { 'icecast-1': +class firewall::router::icecast($destination, $zone = 'loc', $routeback = false, $routeback_dest = '', + $routeback_external_ip = '', $routeback_iface = 'eth1') { + shorewall::rule { 'icecast': action => 'DNAT', - source => 'net', + source => 'all', destination => "$zone:$destination:8000", proto => 'tcp', destinationport => '8000', @@ -87,19 +156,19 @@ class firewall::router::icecast($destination, $zone = 'loc') { order => '900', } - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$ipaddress", - ratelimit => '-', - order => '901', + if $routeback { + firewall::router::hairpinning { 'icecast': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => '8000', + } } } -class firewall::router::mail($destination, $zone = 'loc') { +class firewall::router::mail($destination, $zone = 'loc', $routeback = false, $routeback_dest = '', + $routeback_external_ip = '', $routeback_iface = 'eth1') { shorewall::rule { 'mail-1': action => 'DNAT', source => 'all', @@ -119,9 +188,29 @@ class firewall::router::mail($destination, $zone = 'loc') { ratelimit => '-', order => '1002', } + + if $routeback { + firewall::router::hairpinning { 'mail-1': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => '25', + } + + firewall::router::hairpinning { 'mail-2': + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => '993', + } + } } -define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc') { +define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', + $routeback = false, $routeback_dest = '', $routeback_external_ip = '', + $routeback_iface = 'eth1') { shorewall::rule { "ssh-$name": action => 'DNAT', source => 'all', @@ -134,9 +223,21 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $ ratelimit => '-', order => "2$port_orig", } + + if $routeback { + firewall::router::hairpinning { "ssh-$name": + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => $port_dest, + } + } } -define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc') { +define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', + $routeback = false, $routeback_dest = '', $routeback_external_ip = '', + $routeback_iface = 'eth1') { shorewall::rule { "munin-$name": action => 'DNAT', source => 'all', @@ -147,7 +248,16 @@ define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', - order => "4$id", + } + + if $routeback { + firewall::router::hairpinning { "munin-$name": + interface => $routeback_iface, + destination => $routeback_dest, + external_ip => $routeback_external_ip, + proto => 'tcp', + port => $port_dest, + } } } @@ -172,3 +282,36 @@ class firewall::router::torrent($destination, $zone = 'loc') { order => "201", } } + +class firewall::router::hairpinning($order = '200', $proto = 'tcp', $port = 'www', + $external_ip = '$ETH0_IP', $interface = 'eth1', + $destination = '192.168.1.100') { + shorewall::masq { "routeback-$name": + interface => '$interface:$destination', + source => '$interface', + address => '192.168.1.1' + proto => $proto, + port => $port, + order => $order, + } + + shorewall::masq { "routeback-$name-real-ip": + interface => '$interface:$destination', + source => '$interface', + address => $external_ip' + proto => $proto, + port => $port, + order => $order, + } + + shorewall::rule { "routeback-$name": + action => 'DNAT', + source => 'loc', + destination => "loc:$destination", + proto => $proto, + destinationport => $port, + ratelimit => '-', + order => $order, + originaldest => $external_ip, + } +} diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp index 8326761..8b01d12 100644 --- a/manifests/subsystems/firewall/vserver.pp +++ b/manifests/subsystems/firewall/vserver.pp @@ -260,7 +260,6 @@ define firewall::vserver::munin($destination, $port_orig, $port_dest = '') { proto => 'tcp', destinationport => "$port_orig", ratelimit => '-', - order => "4$id", } shorewall::rule { "munin-$name-2": @@ -274,6 +273,5 @@ define firewall::vserver::munin($destination, $port_orig, $port_dest = '') { destinationport => "$port_orig", originaldest => "$ipaddress", ratelimit => '-', - order => "5$id", } } |