Commit 01c9174a authored by Cool Fire's avatar Cool Fire

Prepare for internal IPv6 support

parent b808c6f8
Pipeline #2220 failed with stages
in 3 minutes and 18 seconds
......@@ -12,7 +12,7 @@ class profile::base::firewall (
purge => $purge,
}
# Default rules
# Default rules IPv4
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
......@@ -33,4 +33,30 @@ class profile::base::firewall (
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
# Default rules IPv6
firewall { '000 accept all icmp v6':
proto => 'icmp',
action => 'accept',
provider => 'ip6tables',
}
-> firewall { '001 accept all to lo interface v6':
proto => 'all',
iniface => 'lo',
action => 'accept',
provider => 'ip6tables',
}
-> firewall { '002 reject local traffic not on loopback interface v6':
iniface => '! lo',
proto => 'all',
destination => '::1/128',
action => 'reject',
provider => 'ip6tables',
}
-> firewall { '003 accept related established rules v6':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
provider => 'ip6tables',
}
}
......@@ -3,48 +3,39 @@
# Configure firewall rules to prevent abuse of outbound mail
#
class profile::lydia::outbound_mail_firewall(
class profile::lydia::outbound_mail_firewall (
Array $dports = [25, 465, 587],
String $localnet = '10.0.1.0/24',
) {
include firewall
firewall { '010 Accept from self':
chain => 'OUTPUT',
action => 'accept',
proto => 'tcp',
dport => $dports,
destination => $localnet,
}
firewall { '011 Accept over loopback':
chain => 'OUTPUT',
action => 'accept',
proto => 'tcp',
dport => $dports,
outiface => 'lo',
}
firewall { '012 Accept for postfix':
chain => 'OUTPUT',
action => 'accept',
proto => 'tcp',
dport => $dports,
gid => 115,
}
firewall { '013 Accept for power-users':
chain => 'OUTPUT',
action => 'accept',
proto => 'tcp',
dport => $dports,
gid => 1420,
}
firewall { '020 Drop for everything else':
chain => 'OUTPUT',
action => 'drop',
proto => 'tcp',
dport => $dports,
firewall {
default:
chain => 'OUTPUT',
action => 'accept',
proto => 'tcp',
dport => $dports;
'010 Accept from self':
destination => $localnet;
'011 Accept over loopback':
outiface => 'lo';
'011 Accept over loopback v6':
outiface => 'lo',
provider => 'ip6tables';
'012 Accept for postfix':
gid => 115;
'012 Accept for postfix v6':
gid => 115,
provider => 'ip6tables';
'013 Accept for power-users':
gid => 1420;
'013 Accept for power-users v6':
gid => 1420,
provider => 'ip6tables';
'020 Drop for everything else':
action => 'drop';
'020 Drop for everything else v6':
action => 'drop',
provider => 'ip6tables';
}
}
# Class: profile::radvdserver
#
#
class profile::radvdserver (
String $interface = 'eth0'
) {
# Install package
package { 'radvd':
ensure => installed,
}
# Make sure DHCP daemon is running
service { 'radvd':
ensure => running,
enable => true,
hasrestart => true,
hasstatus => true,
require => Package['radvd'],
}
# Manage config
file { '/etc/radvd.conf':
ensure => file,
content => template('profile/radvd.conf.erb'),
notify => Service['radvd'],
}
}
......@@ -2,12 +2,12 @@
#
class profile::router (
String $lan = 'eth0',
String $wan = 'eth1',
Array $rslv_ips = ['9.9.9.9', '208.67.222.222', '208.67.220.220'],
Array $rslv_dom = ['insomnia247.nl'],
Hash $forwards = {},
Array $tr_blocks = [],
String $lan = 'eth0',
String $wan = 'eth1',
Array $rslv_ips = ['9.9.9.9', '208.67.222.222', '208.67.220.220'],
Array $rslv_dom = ['insomnia247.nl'],
Hash $forwards = {},
Array $tr_blocks = [],
){
include profile::base::packages
include profile::base::snmpclient
......@@ -25,34 +25,48 @@ class profile::router (
value => '1';
'net.netfilter.nf_conntrack_generic_timeout':
value => '120';
'net.ipv6.conf.all.forwarding':
value => '1';
}
# NAT for wan
firewall { '100 nat to wan':
chain => 'POSTROUTING',
jump => 'MASQUERADE',
proto => 'all',
outiface => $wan,
table => 'nat',
firewall {
default:
chain => 'POSTROUTING',
jump => 'MASQUERADE',
proto => 'all',
outiface => $wan,
table => 'nat';
'100 nat to wan':;
'100 nat to wan v6':
provider => 'ip6tables';
}
# forward packets along established/related connections
# -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
firewall { '101 forward related and established':
chain => 'FORWARD',
ctstate => ['RELATED', 'ESTABLISHED'],
proto => 'all',
action => 'accept',
firewall {
default:
chain => 'FORWARD',
ctstate => ['RELATED', 'ESTABLISHED'],
proto => 'all',
action => 'accept';
'101 forward related and established':;
'101 forward related and established v6':
provider => 'ip6tables';
}
# forward from LAN (p1p1) to WAN (p4p1)
# -A FORWARD -i p1p1 -o p4p1 -j ACCEPT
-> firewall { '102 forward from LAN to WAN':
chain => 'FORWARD',
proto => 'all',
iniface => $lan,
outiface => $wan,
action => 'accept',
-> firewall {
default:
chain => 'FORWARD',
proto => 'all',
iniface => $lan,
outiface => $wan,
action => 'accept';
'102 forward from LAN to WAN':;
'102 forward from LAN to WAN v6':
provider => 'ip6tables';
}
# Port forwarding rules
......
interface <%= @interface %>
{
AdvSendAdvert on;
prefix fd5d:12c9:4201:1::1/64 {
AdvOnLink on;
AdvAutonomous on;
};
#Send DNS Server setting
RDNSS fd5d:12c9:4201:1::1{
};
};
......@@ -5,5 +5,6 @@ class role::router inherits role::base {
include profile::base::firewall
include profile::dhcpserver
include profile::dnsserver
include profile::radvdserver
include profile::router
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment