From 9f93fe57aca5fb4a2bd7a083a860ddd4fb590565 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 13 Jul 2013 12:45:36 +0200 Subject: [PATCH] vpn iptables for eysler --- modules/ferm/manifests/per-host.pp | 51 ++++++++++++++++-------------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 4a1f3713c..42a8aa197 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -113,29 +113,6 @@ class ferm::per-host { description => 'Allow ldaps access', rule => '&SERVICE(tcp, 636)' } - @ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface tun+ ACCEPT; -REJECT reject-with icmp-admin-prohibited -' - } - @ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - @ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } } cilea: { ferm::module { 'nf_conntrack_sip': } @@ -301,4 +278,32 @@ REJECT reject-with icmp-admin-prohibited } } } + # vpn fu + case $::hostname { + draghi,eysler: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + } } -- 2.20.1