Adding routeback configuration

author Silvio Rhatto <rhatto@riseup.net>

Thu, 11 Aug 2011 19:01:58 +0000 (16:01 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 11 Aug 2011 19:01:58 +0000 (16:01 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 11 Aug 2011 19:01:58 +0000 (16:01 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 11 Aug 2011 19:01:58 +0000 (16:01 -0300)
diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp

index 938484998b8eeb5b96dae802bc69d0c75754480c..3a22f41b13f9756b6bf9d51c8406d8d1010d5e91 100644 (file)
--- a/manifests/subsystems/firewall/router.pp
+++ b/manifests/subsystems/firewall/router.pp
@@ -1,4 +1,5 @@
-class firewall::router::http($destination, $zone = 'loc') {
+class firewall::router::http($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+                             $routeback_external_ip = '', $routeback_iface = 'eth1') {
    shorewall::rule { 'http-route':
      action          => 'DNAT',
      source          => 'all',
@@ -8,9 +9,18 @@ class firewall::router::http($destination, $zone = 'loc') {
      ratelimit       => '-',
      order           => '600',
    }
+
+  if $routeback {
+    firewall::router::hairpinning { 'http-route':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+    }
+  }
  }
  
-class firewall::router::https($destination, $zone = 'loc') {
+class firewall::router::https($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+                              $routeback_external_ip = '', $routeback_iface = 'eth1') {
    shorewall::rule { 'https-route':
      action          => 'DNAT',
      source          => 'all',
@@ -20,9 +30,22 @@ class firewall::router::https($destination, $zone = 'loc') {
      ratelimit       => '-',
      order           => '602',
    }
+
+  if $routeback {
+    firewall::router::hairpinning { 'https-route':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => '443',
+    }
+  }
  }
  
-class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'loc') {
+class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
+                                     $puppetmaster_nonssl_port = '8141', $zone = 'loc', $routeback = false,
+                                     $routeback_dest = '', $routeback_external_ip = '',
+                                     $routeback_iface = 'eth1') {
    shorewall::rule { 'puppetmaster-1':
      action          => 'DNAT',
      source          => 'all',
@@ -62,9 +85,44 @@ class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140',
      ratelimit       => '-',
      order           => '705',
    }
+
+  if $routeback {
+    firewall::router::hairpinning { 'puppetmaster-1':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => $puppetmaster_port,
+    }
+
+    firewall::router::hairpinning { 'puppetmaster-2':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'udp',
+      port        => $puppetmaster_port,
+    }
+
+    firewall::router::hairpinning { 'puppetmaster-3':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => $puppetmaster_nonssl_port,
+    }
+
+    firewall::router::hairpinning { 'puppetmaster-4':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'udp',
+      port        => $puppetmaster_nonssl_port,
+    }
+  }
  }
  
-class firewall::router::gitd($destination, $zone = 'loc') {
+class firewall::router::gitd($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+                             $routeback_external_ip = '', $routeback_iface = 'eth1') {
    shorewall::rule { 'git-daemon':
      action          => 'DNAT',
      source          => 'net',
@@ -74,12 +132,23 @@ class firewall::router::gitd($destination, $zone = 'loc') {
      ratelimit       => '-',
      order           => '800',
    }
+
+  if $routeback {
+    firewall::router::hairpinning { 'git-daemon':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => '9418',
+    }
+  }
  }
  
-class firewall::router::icecast($destination, $zone = 'loc') {
-  shorewall::rule { 'icecast-1':
+class firewall::router::icecast($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+                                $routeback_external_ip = '', $routeback_iface = 'eth1') {
+  shorewall::rule { 'icecast':
      action          => 'DNAT',
-    source          => 'net',
+    source          => 'all',
      destination     => "$zone:$destination:8000",
      proto           => 'tcp',
      destinationport => '8000',
@@ -87,19 +156,19 @@ class firewall::router::icecast($destination, $zone = 'loc') {
      order           => '900',
    }
  
-  shorewall::rule { 'icecast-2':
-    action          => 'DNAT',
-    source          => '$FW',
-    destination     => "$zone:$destination:8000",
-    proto           => 'tcp',
-    destinationport => '8000',
-    originaldest    => "$ipaddress",
-    ratelimit       => '-',
-    order           => '901',
+  if $routeback {
+    firewall::router::hairpinning { 'icecast':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => '8000',
+    }
    }
  }
  
-class firewall::router::mail($destination, $zone = 'loc') {
+class firewall::router::mail($destination, $zone = 'loc', $routeback = false, $routeback_dest = '',
+                             $routeback_external_ip = '', $routeback_iface = 'eth1') {
    shorewall::rule { 'mail-1':
      action          => 'DNAT',
      source          => 'all',
@@ -119,9 +188,29 @@ class firewall::router::mail($destination, $zone = 'loc') {
      ratelimit       => '-',
      order           => '1002',
    }
+
+  if $routeback {
+    firewall::router::hairpinning { 'mail-1':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => '25',
+    }
+
+    firewall::router::hairpinning { 'mail-2':
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => '993',
+    }
+  }
  }
  
-define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc') {
+define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc',
+                             $routeback = false, $routeback_dest = '', $routeback_external_ip = '',
+                             $routeback_iface = 'eth1') {
    shorewall::rule { "ssh-$name":
      action          => 'DNAT',
      source          => 'all',
@@ -134,9 +223,21 @@ define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $
      ratelimit       => '-',
      order           => "2$port_orig",
    }
+
+  if $routeback {
+    firewall::router::hairpinning { "ssh-$name":
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => $port_dest,
+    }
+  }
  }
  
-define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc') {
+define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc',
+                               $routeback = false, $routeback_dest = '', $routeback_external_ip = '',
+                               $routeback_iface = 'eth1') {
    shorewall::rule { "munin-$name":
      action          => 'DNAT',
      source          => 'all',
@@ -147,7 +248,16 @@ define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone
      proto           => 'tcp',
      destinationport => "$port_orig",
      ratelimit       => '-',
-    order           => "4$id",
+  }
+
+  if $routeback {
+    firewall::router::hairpinning { "munin-$name":
+      interface   => $routeback_iface,
+      destination => $routeback_dest,
+      external_ip => $routeback_external_ip,
+      proto       => 'tcp',
+      port        => $port_dest,
+    }
    }
  }
  
@@ -172,3 +282,36 @@ class firewall::router::torrent($destination, $zone = 'loc') {
      order           => "201",
    }
  }
+
+class firewall::router::hairpinning($order = '200', $proto = 'tcp', $port = 'www',
+                                    $external_ip = '$ETH0_IP', $interface = 'eth1',
+                                    $destination = '192.168.1.100') {
+  shorewall::masq { "routeback-$name":
+    interface => '$interface:$destination',
+    source    => '$interface',
+    address   => '192.168.1.1'
+    proto     => $proto,
+    port      => $port,
+    order     => $order,
+  }
+
+  shorewall::masq { "routeback-$name-real-ip":
+    interface => '$interface:$destination',
+    source    => '$interface',
+    address   => $external_ip'
+    proto     => $proto,
+    port      => $port,
+    order     => $order,
+  }
+
+  shorewall::rule { "routeback-$name":
+    action          => 'DNAT',
+    source          => 'loc',
+    destination     => "loc:$destination",
+    proto           => $proto,
+    destinationport => $port,
+    ratelimit       => '-',
+    order           => $order,
+    originaldest    => $external_ip,
+  }
+}
diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp

index 8326761fc44a7e12de502f59e692a429e4fb8731..8b01d12e2be80501416fe27dc5103f1b4cdbfa12 100644 (file)
--- a/manifests/subsystems/firewall/vserver.pp
+++ b/manifests/subsystems/firewall/vserver.pp
@@ -260,7 +260,6 @@ define firewall::vserver::munin($destination, $port_orig, $port_dest = '') {
      proto           => 'tcp',
      destinationport => "$port_orig",
      ratelimit       => '-',
-    order           => "4$id",
    }
  
    shorewall::rule { "munin-$name-2":
@@ -274,6 +273,5 @@ define firewall::vserver::munin($destination, $port_orig, $port_dest = '') {
      destinationport => "$port_orig",
      originaldest    => "$ipaddress",
      ratelimit       => '-',
-    order           => "5$id",
    }
  }
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 11 Aug 2011 19:01:58 +0000 (16:01 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 11 Aug 2011 19:01:58 +0000 (16:01 -0300)
manifests/subsystems/firewall/router.pp		patch \| blob \| history
manifests/subsystems/firewall/vserver.pp		patch \| blob \| history