aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystems
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/subsystems')
-rw-r--r--manifests/subsystems/firewall/router.pp183
-rw-r--r--manifests/subsystems/firewall/vserver.pp2
2 files changed, 163 insertions, 22 deletions
diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp
index 9384849..3a22f41 100644
--- a/manifests/subsystems/firewall/router.pp
+++ b/manifests/subsystems/firewall/router.pp
@@ -1,4 +1,5 @@
-class firewall::router::http($destination, $zone = 'loc') {
+class firewall::router::http($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+ $routeback_external_ip = '', $routeback_iface = 'eth1') {
shorewall::rule { 'http-route':
action => 'DNAT',
source => 'all',
@@ -8,9 +9,18 @@ class firewall::router::http($destination, $zone = 'loc') {
ratelimit => '-',
order => '600',
}
+
+ if $routeback {
+ firewall::router::hairpinning { 'http-route':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ }
+ }
}
-class firewall::router::https($destination, $zone = 'loc') {
+class firewall::router::https($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+ $routeback_external_ip = '', $routeback_iface = 'eth1') {
shorewall::rule { 'https-route':
action => 'DNAT',
source => 'all',
@@ -20,9 +30,22 @@ class firewall::router::https($destination, $zone = 'loc') {
ratelimit => '-',
order => '602',
}
+
+ if $routeback {
+ firewall::router::hairpinning { 'https-route':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => '443',
+ }
+ }
}
-class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'loc') {
+class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
+ $puppetmaster_nonssl_port = '8141', $zone = 'loc', $routeback = false,
+ $routeback_dest = '', $routeback_external_ip = '',
+ $routeback_iface = 'eth1') {
shorewall::rule { 'puppetmaster-1':
action => 'DNAT',
source => 'all',
@@ -62,9 +85,44 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
ratelimit => '-',
order => '705',
}
+
+ if $routeback {
+ firewall::router::hairpinning { 'puppetmaster-1':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => $puppetmaster_port,
+ }
+
+ firewall::router::hairpinning { 'puppetmaster-2':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'udp',
+ port => $puppetmaster_port,
+ }
+
+ firewall::router::hairpinning { 'puppetmaster-3':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => $puppetmaster_nonssl_port,
+ }
+
+ firewall::router::hairpinning { 'puppetmaster-4':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'udp',
+ port => $puppetmaster_nonssl_port,
+ }
+ }
}
-class firewall::router::gitd($destination, $zone = 'loc') {
+class firewall::router::gitd($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+ $routeback_external_ip = '', $routeback_iface = 'eth1') {
shorewall::rule { 'git-daemon':
action => 'DNAT',
source => 'net',
@@ -74,12 +132,23 @@ class firewall::router::gitd($destination, $zone = 'loc') {
ratelimit => '-',
order => '800',
}
+
+ if $routeback {
+ firewall::router::hairpinning { 'git-daemon':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => '9418',
+ }
+ }
}
-class firewall::router::icecast($destination, $zone = 'loc') {
- shorewall::rule { 'icecast-1':
+class firewall::router::icecast($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+ $routeback_external_ip = '', $routeback_iface = 'eth1') {
+ shorewall::rule { 'icecast':
action => 'DNAT',
- source => 'net',
+ source => 'all',
destination => "$zone:$destination:8000",
proto => 'tcp',
destinationport => '8000',
@@ -87,19 +156,19 @@ class firewall::router::icecast($destination, $zone = 'loc') {
order => '900',
}
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "$zone:$destination:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '901',
+ if $routeback {
+ firewall::router::hairpinning { 'icecast':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => '8000',
+ }
}
}
-class firewall::router::mail($destination, $zone = 'loc') {
+class firewall::router::mail($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+ $routeback_external_ip = '', $routeback_iface = 'eth1') {
shorewall::rule { 'mail-1':
action => 'DNAT',
source => 'all',
@@ -119,9 +188,29 @@ class firewall::router::mail($destination, $zone = 'loc') {
ratelimit => '-',
order => '1002',
}
+
+ if $routeback {
+ firewall::router::hairpinning { 'mail-1':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => '25',
+ }
+
+ firewall::router::hairpinning { 'mail-2':
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => '993',
+ }
+ }
}
-define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc') {
+define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
+ $routeback = false, $routeback_dest = '', $routeback_external_ip = '',
+ $routeback_iface = 'eth1') {
shorewall::rule { "ssh-$name":
action => 'DNAT',
source => 'all',
@@ -134,9 +223,21 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $
ratelimit => '-',
order => "2$port_orig",
}
+
+ if $routeback {
+ firewall::router::hairpinning { "ssh-$name":
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => $port_dest,
+ }
+ }
}
-define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc') {
+define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
+ $routeback = false, $routeback_dest = '', $routeback_external_ip = '',
+ $routeback_iface = 'eth1') {
shorewall::rule { "munin-$name":
action => 'DNAT',
source => 'all',
@@ -147,7 +248,16 @@ define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone
proto => 'tcp',
destinationport => "$port_orig",
ratelimit => '-',
- order => "4$id",
+ }
+
+ if $routeback {
+ firewall::router::hairpinning { "munin-$name":
+ interface => $routeback_iface,
+ destination => $routeback_dest,
+ external_ip => $routeback_external_ip,
+ proto => 'tcp',
+ port => $port_dest,
+ }
}
}
@@ -172,3 +282,36 @@ class firewall::router::torrent($destination, $zone = 'loc') {
order => "201",
}
}
+
+class firewall::router::hairpinning($order = '200', $proto = 'tcp', $port = 'www',
+ $external_ip = '$ETH0_IP', $interface = 'eth1',
+ $destination = '192.168.1.100') {
+ shorewall::masq { "routeback-$name":
+ interface => '$interface:$destination',
+ source => '$interface',
+ address => '192.168.1.1'
+ proto => $proto,
+ port => $port,
+ order => $order,
+ }
+
+ shorewall::masq { "routeback-$name-real-ip":
+ interface => '$interface:$destination',
+ source => '$interface',
+ address => $external_ip'
+ proto => $proto,
+ port => $port,
+ order => $order,
+ }
+
+ shorewall::rule { "routeback-$name":
+ action => 'DNAT',
+ source => 'loc',
+ destination => "loc:$destination",
+ proto => $proto,
+ destinationport => $port,
+ ratelimit => '-',
+ order => $order,
+ originaldest => $external_ip,
+ }
+}
diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp
index 8326761..8b01d12 100644
--- a/manifests/subsystems/firewall/vserver.pp
+++ b/manifests/subsystems/firewall/vserver.pp
@@ -260,7 +260,6 @@ define firewall::vserver::munin($destination, $port_orig, $port_dest = '') {
proto => 'tcp',
destinationport => "$port_orig",
ratelimit => '-',
- order => "4$id",
}
shorewall::rule { "munin-$name-2":
@@ -274,6 +273,5 @@ define firewall::vserver::munin($destination, $port_orig, $port_dest = '') {
destinationport => "$port_orig",
originaldest => "$ipaddress",
ratelimit => '-',
- order => "5$id",
}
}