From: Peter Palfrader Date: Sat, 13 Jul 2013 10:45:36 +0000 (+0200) Subject: vpn iptables for eysler X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=9f93fe57aca5fb4a2bd7a083a860ddd4fb590565;p=mirror%2Fdsa-puppet.git vpn iptables for eysler --- diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 4a1f3713c..42a8aa197 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -113,29 +113,6 @@ class ferm::per-host { description => 'Allow ldaps access', rule => '&SERVICE(tcp, 636)' } - @ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface tun+ ACCEPT; -REJECT reject-with icmp-admin-prohibited -' - } - @ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - @ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } } cilea: { ferm::module { 'nf_conntrack_sip': } @@ -301,4 +278,32 @@ REJECT reject-with icmp-admin-prohibited } } } + # vpn fu + case $::hostname { + draghi,eysler: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + } }