/gist:512825

## gistfile1
# firewalls.pp - configure firewalls
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.

# Common infrastructure
class firewall {
	$mta = exim4
	include dbp
	include backuppc::client
	include ssh::server
	include firewall_class
	include david::sudo
}

# The firewall at my parents place. Has the IP of the primary nameserver of all
# our domains.
node fw-schmidg {
	$nagios_parent = "router-schmidg"
	$ssh_port = 2200

	$dhcp_subnet = "10.10.7"

	$uplink_speed = 2048
	$downlink_speed = 2048

	$ntp_servers = [ "time.inode.at", "ntp2b.mcc.ac.uk", "pluto.fips.at" ]

	$bind_type = 'master'
	$bind_bindaddress = "85.125.165.34"

	$dnsmasq_interface = 'lan'
	$dnsmasq_listen_address = "${dhcp_subnet}.1"

	$edv_bus_ns = 'master'
	include edv_bus_nameserver

	include asterisk

	include firewall

	include shaper

	include bind::master

	ifupdown::interface {
		"lan":
			ipaddress => "${dhcp_subnet}.1",
			netmask => "255.255.255.0",
			macaddress => "00:40:63:e9:11:10";
		"uplink":
			ipaddress => "85.125.165.34",
			netmask => "255.255.255.240",
			macaddress => "00:40:63:e9:11:11",
			gateway => "85.125.165.33",
			up => [
				"iptables --table nat --append POSTROUTING --source 10.10.7.0/24 --out-interface tun0 --jump ACCEPT # Accept packages to uni-ak without NAT",
				"iptables --table nat --append POSTROUTING --source 10.10.7.0/24 --out-interface uplink --jump SNAT --to-source 85.125.165.34 # SNAT everything else to our external IP"
				],
			down => [
				"iptables --table nat --delete POSTROUTING --source 10.10.7.0/24 --out-interface uplink --jump SNAT --to-source 85.125.165.34",
				"iptables --table nat --delete POSTROUTING --source 10.10.7.0/24 --out-interface tun0 --jump ACCEPT"
			];
		"uplink:vpn":
			ipaddress => "85.125.165.46",
			netmask => "255.255.255.240";
	}

	exim4::relay_from { [ "85.125.165.34", "85.125.165.46"]: }

	package { "openvpn": ensure => installed }
	service { "openvpn": ensure => running, pattern => '[o]penvpn' }

	config_file {
		"/etc/dnsmasq.d/local_printer":
			content => "dhcp-host=00:30:6e:d2:91:d9,10.10.7.120\n",
			notify => Service["dnsmasq"];
		"/etc/openvpn/uni-ak.conf":
			source => "puppet://$servername/files/openvpn-uni-ak.conf",
			require => Package["openvpn"];
	}
	file {
		"/etc/openvpn/keys/p0002046-diode.key":
			content => file("/etc/puppet/secrets/fw-schmidg/keys/p0002046-diode.key"),
			mode => 0640, owner => root, group => root;
		"/etc/openvpn/keys":
			source => "puppet://$servername/files/fw-schmidg/keys",
			recurse => true,
			mode => 0640, owner => root, group => root;
	}

}

node fw-maria {
	$nagios_parent = "router-mariatreu"
	$ssh_port = 2200

	$dhcp_subnet = "192.168.1"

	$uplink_speed = 2048
	$downlink_speed = 2048

	# stable low-load server should have a lower strastum, so we have a local
	# master if all falls apart
	$ntp_local_stratum = 11
	$ntp_servers = [ "time.inode.at", "fartein.ifi.uio.no", "ntp1.nack.at" ]

	$bind_bindaddress = "85.125.165.66"
	$dnsmasq_interface = 'lan'
	$dnsmasq_listen_address = "${dhcp_subnet}.1"

	$manage_dns = 'manual'

	include firewall

	# manually configured in /etc/openvpn
	include openvpn

	include shaper

	# $edv_bus_ns = 'slave'
	# include edv_bus_nameserver

	include bind::master

	package{ samba: ensure => installed, }
	service{ samba: ensure => running, pattern => "[sn]mbd" }
	config_file { "/etc/samba/smb.conf": source => "puppet://$servername/files/fw-maria/smb.conf", notify => Service["samba"] }
	file { "/var/local/samba_netlogon": ensure => directory, mode => 0755, owner => root, group => root, before => Service["samba"] }

	ifupdown::interface {
		"lan":
			ipaddress => "${dhcp_subnet}.1",
			netmask => "255.255.255.0",
			macaddress => "00:40:63:e9:16:2e";
		"lan:samba":
			ipaddress => "${dhcp_subnet}.2",
			netmask => "255.255.255.0";
		"uplink":
			ipaddress => "85.125.165.77",
			netmask => "255.255.255.240",
			macaddress => "00:40:63:e9:16:2f",
			gateway => "85.125.165.65",
			up => [
				"iptables -t filter -A FORWARD -p tcp -d 85.125.165.68/32 --destination-port 25 -j ACCEPT",
				"iptables -t filter -A FORWARD -p tcp -s 192.168.1.0/24 --destination-port 25 -j REJECT",
				"iptables -t nat    -A POSTROUTING -s 192.168.1.0/24 -o uplink -j SNAT --to 85.125.165.77"
			],
			down => [
				"iptables -t nat    -D POSTROUTING -s 192.168.1.0/24 -o uplink -j SNAT --to 85.125.165.77",
				"iptables -t filter -D FORWARD -p tcp -s 192.168.1.0/24 --destination-port 25 -j REJECT",
				"iptables -t filter -D FORWARD -p tcp -d 85.125.165.68/32 --destination-port 25 -j ACCEPT"
			];
		"uplink:1":
			ipaddress => "85.125.165.66",
			netmask => "255.255.255.240";
	}

	bind::a2 {
		"${fqdn}_${ipaddress}":
			rrname => $hostname,
			domain => $domain,
			ip => "85.125.165.77";
	}

	exim4::relay_from { [ "85.125.165.66", "85.125.165.77"]: }


	file { "/media/externe_platte": ensure => directory }

	mount {
		"/media/externe_platte":
			device => "LABEL=EXT",
			ensure => mounted,
			options => 'defaults',
			fstype => 'ext3',
			atboot => true;
		"/var/lib/samba":
			device => "/media/externe_platte/samba",
			ensure => mounted,
			options => bind,
			atboot => true,
			fstype => 'none',
			require => Mount["/media/externe_platte"],
			notify => Service["samba"],
	}

	## Additional IPs for Door
	config_file {
		"/etc/door_hosts":
			ensure => absent;
		"/etc/additional_hosts":
			content => "192.168.1.124  door1\n192.168.1.125	door2\n192.168.1.126	door3\n192.168.1.123 accesspoint123\n192.168.1.122 accesspoint122\n192.168.1.121 accesspoint121\n192.168.1.3 fw-treu\n",
			notify => Service[dnsmasq];
		"/etc/dnsmasq.d/additional_hosts":
			content => "# load additional hosts into DNS:\naddn-hosts=/etc/additional_hosts\n",
			require => File["/etc/additional_hosts"],
			notify => Service[dnsmasq];
	}
}

node fw-treu {
	$nagios_parent = "fw-maria"
	$ssh_port = 2200
	#$dhcp_subnet = "192.168.130"

	#include firewall
	include dbp
	include ssh::server
	include backuppc::client
	include david::sudo

	ifupdown::interface {
		"lan":
			ipaddress => "192.168.1.3",
			gateway => "192.168.1.1",
			netmask => "255.255.255.0",
			macaddress => "00:40:63:e9:1b:94";
	}
	#$edv_bus_ns = 'slave'
	#include edv_bus_nameserver
}
	# firewalls.pp - configure firewalls
	# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
	# See LICENSE for the full license granted to you.

	# Common infrastructure
	class firewall {
	$mta = exim4
	include dbp
	include backuppc::client
	include ssh::server
	include firewall_class
	include david::sudo
	}

	# The firewall at my parents place. Has the IP of the primary nameserver of all
	# our domains.
	node fw-schmidg {
	$nagios_parent = "router-schmidg"
	$ssh_port = 2200

	$dhcp_subnet = "10.10.7"

	$uplink_speed = 2048
	$downlink_speed = 2048

	$ntp_servers = [ "time.inode.at", "ntp2b.mcc.ac.uk", "pluto.fips.at" ]

	$bind_type = 'master'
	$bind_bindaddress = "85.125.165.34"

	$dnsmasq_interface = 'lan'
	$dnsmasq_listen_address = "${dhcp_subnet}.1"

	$edv_bus_ns = 'master'
	include edv_bus_nameserver

	include asterisk

	include firewall

	include shaper

	include bind::master

	ifupdown::interface {
	"lan":
	ipaddress => "${dhcp_subnet}.1",
	netmask => "255.255.255.0",
	macaddress => "00:40:63:e9:11:10";
	"uplink":
	ipaddress => "85.125.165.34",
	netmask => "255.255.255.240",
	macaddress => "00:40:63:e9:11:11",
	gateway => "85.125.165.33",
	up => [
	"iptables --table nat --append POSTROUTING --source 10.10.7.0/24 --out-interface tun0 --jump ACCEPT # Accept packages to uni-ak without NAT",
	"iptables --table nat --append POSTROUTING --source 10.10.7.0/24 --out-interface uplink --jump SNAT --to-source 85.125.165.34 # SNAT everything else to our external IP"
	],
	down => [
	"iptables --table nat --delete POSTROUTING --source 10.10.7.0/24 --out-interface uplink --jump SNAT --to-source 85.125.165.34",
	"iptables --table nat --delete POSTROUTING --source 10.10.7.0/24 --out-interface tun0 --jump ACCEPT"
	];
	"uplink:vpn":
	ipaddress => "85.125.165.46",
	netmask => "255.255.255.240";
	}

	exim4::relay_from { [ "85.125.165.34", "85.125.165.46"]: }

	package { "openvpn": ensure => installed }
	service { "openvpn": ensure => running, pattern => '[o]penvpn' }

	config_file {
	"/etc/dnsmasq.d/local_printer":
	content => "dhcp-host=00:30:6e:d2:91:d9,10.10.7.120\n",
	notify => Service["dnsmasq"];
	"/etc/openvpn/uni-ak.conf":
	source => "puppet://$servername/files/openvpn-uni-ak.conf",
	require => Package["openvpn"];
	}
	file {
	"/etc/openvpn/keys/p0002046-diode.key":
	content => file("/etc/puppet/secrets/fw-schmidg/keys/p0002046-diode.key"),
	mode => 0640, owner => root, group => root;
	"/etc/openvpn/keys":
	source => "puppet://$servername/files/fw-schmidg/keys",
	recurse => true,
	mode => 0640, owner => root, group => root;
	}

	}

	node fw-maria {
	$nagios_parent = "router-mariatreu"
	$ssh_port = 2200

	$dhcp_subnet = "192.168.1"

	$uplink_speed = 2048
	$downlink_speed = 2048

	# stable low-load server should have a lower strastum, so we have a local
	# master if all falls apart
	$ntp_local_stratum = 11
	$ntp_servers = [ "time.inode.at", "fartein.ifi.uio.no", "ntp1.nack.at" ]

	$bind_bindaddress = "85.125.165.66"
	$dnsmasq_interface = 'lan'
	$dnsmasq_listen_address = "${dhcp_subnet}.1"

	$manage_dns = 'manual'

	include firewall

	# manually configured in /etc/openvpn
	include openvpn

	include shaper

	# $edv_bus_ns = 'slave'
	# include edv_bus_nameserver

	include bind::master

	package{ samba: ensure => installed, }
	service{ samba: ensure => running, pattern => "[sn]mbd" }
	config_file { "/etc/samba/smb.conf": source => "puppet://$servername/files/fw-maria/smb.conf", notify => Service["samba"] }
	file { "/var/local/samba_netlogon": ensure => directory, mode => 0755, owner => root, group => root, before => Service["samba"] }

	ifupdown::interface {
	"lan":
	ipaddress => "${dhcp_subnet}.1",
	netmask => "255.255.255.0",
	macaddress => "00:40:63:e9:16:2e";
	"lan:samba":
	ipaddress => "${dhcp_subnet}.2",
	netmask => "255.255.255.0";
	"uplink":
	ipaddress => "85.125.165.77",
	netmask => "255.255.255.240",
	macaddress => "00:40:63:e9:16:2f",
	gateway => "85.125.165.65",
	up => [
	"iptables -t filter -A FORWARD -p tcp -d 85.125.165.68/32 --destination-port 25 -j ACCEPT",
	"iptables -t filter -A FORWARD -p tcp -s 192.168.1.0/24 --destination-port 25 -j REJECT",
	"iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o uplink -j SNAT --to 85.125.165.77"
	],
	down => [
	"iptables -t nat -D POSTROUTING -s 192.168.1.0/24 -o uplink -j SNAT --to 85.125.165.77",
	"iptables -t filter -D FORWARD -p tcp -s 192.168.1.0/24 --destination-port 25 -j REJECT",
	"iptables -t filter -D FORWARD -p tcp -d 85.125.165.68/32 --destination-port 25 -j ACCEPT"
	];
	"uplink:1":
	ipaddress => "85.125.165.66",
	netmask => "255.255.255.240";
	}

	bind::a2 {
	"${fqdn}_${ipaddress}":
	rrname => $hostname,
	domain => $domain,
	ip => "85.125.165.77";
	}

	exim4::relay_from { [ "85.125.165.66", "85.125.165.77"]: }


	file { "/media/externe_platte": ensure => directory }

	mount {
	"/media/externe_platte":
	device => "LABEL=EXT",
	ensure => mounted,
	options => 'defaults',
	fstype => 'ext3',
	atboot => true;
	"/var/lib/samba":
	device => "/media/externe_platte/samba",
	ensure => mounted,
	options => bind,
	atboot => true,
	fstype => 'none',
	require => Mount["/media/externe_platte"],
	notify => Service["samba"],
	}

	## Additional IPs for Door
	config_file {
	"/etc/door_hosts":
	ensure => absent;
	"/etc/additional_hosts":
	content => "192.168.1.124 door1\n192.168.1.125 door2\n192.168.1.126 door3\n192.168.1.123 accesspoint123\n192.168.1.122 accesspoint122\n192.168.1.121 accesspoint121\n192.168.1.3 fw-treu\n",
	notify => Service[dnsmasq];
	"/etc/dnsmasq.d/additional_hosts":
	content => "# load additional hosts into DNS:\naddn-hosts=/etc/additional_hosts\n",
	require => File["/etc/additional_hosts"],
	notify => Service[dnsmasq];
	}
	}

	node fw-treu {
	$nagios_parent = "fw-maria"
	$ssh_port = 2200
	#$dhcp_subnet = "192.168.130"

	#include firewall
	include dbp
	include ssh::server
	include backuppc::client
	include david::sudo

	ifupdown::interface {
	"lan":
	ipaddress => "192.168.1.3",
	gateway => "192.168.1.1",
	netmask => "255.255.255.0",
	macaddress => "00:40:63:e9:1b:94";
	}
	#$edv_bus_ns = 'slave'
	#include edv_bus_nameserver
	}