From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 9 Apr 2013 17:04:13 +0000 (+0200)
Subject: nat out of vpn
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=36cd84ab1ba40e7e5a960e7c6c01062a93046582;p=mirror%2Fdsa-puppet.git

nat out of vpn
---

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 7fd1a4eab..3ab8f4ce5 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -145,6 +145,29 @@ class ferm::per-host {
 				description     => 'Allow ldaps access',
 				rule            => '&SERVICE(tcp, 636)'
 			}
+			@ferm::rule { 'dsa-vpn':
+				description     => 'Allow openvpn access',
+				rule            => '&SERVICE(udp, 17257)'
+			}
+			@ferm::rule { 'dsa-routing':
+				description     => 'forward chain',
+				chain           => 'FORWARD',
+				rule            => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+			}
+			@ferm::rule { 'dsa-vpn-mark':
+				table           => 'mangle',
+				chain           => 'PREROUTING',
+				rule            => 'interface tun+ MARK set-mark 1',
+			}
+			@ferm::rule { 'dsa-vpn-nat':
+				table           => 'nat',
+				chain           => 'POSTROUTING',
+				rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+			}
 		}
 		cilea: {
 			ferm::module { 'nf_conntrack_sip': }