Created
August 7, 2010 13:39
-
-
Save anonymous/512825 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# firewalls.pp - configure firewalls | |
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at> | |
# See LICENSE for the full license granted to you. | |
# Common infrastructure | |
class firewall { | |
$mta = exim4 | |
include dbp | |
include backuppc::client | |
include ssh::server | |
include firewall_class | |
include david::sudo | |
} | |
# The firewall at my parents place. Has the IP of the primary nameserver of all | |
# our domains. | |
node fw-schmidg { | |
$nagios_parent = "router-schmidg" | |
$ssh_port = 2200 | |
$dhcp_subnet = "10.10.7" | |
$uplink_speed = 2048 | |
$downlink_speed = 2048 | |
$ntp_servers = [ "time.inode.at", "ntp2b.mcc.ac.uk", "pluto.fips.at" ] | |
$bind_type = 'master' | |
$bind_bindaddress = "85.125.165.34" | |
$dnsmasq_interface = 'lan' | |
$dnsmasq_listen_address = "${dhcp_subnet}.1" | |
$edv_bus_ns = 'master' | |
include edv_bus_nameserver | |
include asterisk | |
include firewall | |
include shaper | |
include bind::master | |
ifupdown::interface { | |
"lan": | |
ipaddress => "${dhcp_subnet}.1", | |
netmask => "255.255.255.0", | |
macaddress => "00:40:63:e9:11:10"; | |
"uplink": | |
ipaddress => "85.125.165.34", | |
netmask => "255.255.255.240", | |
macaddress => "00:40:63:e9:11:11", | |
gateway => "85.125.165.33", | |
up => [ | |
"iptables --table nat --append POSTROUTING --source 10.10.7.0/24 --out-interface tun0 --jump ACCEPT # Accept packages to uni-ak without NAT", | |
"iptables --table nat --append POSTROUTING --source 10.10.7.0/24 --out-interface uplink --jump SNAT --to-source 85.125.165.34 # SNAT everything else to our external IP" | |
], | |
down => [ | |
"iptables --table nat --delete POSTROUTING --source 10.10.7.0/24 --out-interface uplink --jump SNAT --to-source 85.125.165.34", | |
"iptables --table nat --delete POSTROUTING --source 10.10.7.0/24 --out-interface tun0 --jump ACCEPT" | |
]; | |
"uplink:vpn": | |
ipaddress => "85.125.165.46", | |
netmask => "255.255.255.240"; | |
} | |
exim4::relay_from { [ "85.125.165.34", "85.125.165.46"]: } | |
package { "openvpn": ensure => installed } | |
service { "openvpn": ensure => running, pattern => '[o]penvpn' } | |
config_file { | |
"/etc/dnsmasq.d/local_printer": | |
content => "dhcp-host=00:30:6e:d2:91:d9,10.10.7.120\n", | |
notify => Service["dnsmasq"]; | |
"/etc/openvpn/uni-ak.conf": | |
source => "puppet://$servername/files/openvpn-uni-ak.conf", | |
require => Package["openvpn"]; | |
} | |
file { | |
"/etc/openvpn/keys/p0002046-diode.key": | |
content => file("/etc/puppet/secrets/fw-schmidg/keys/p0002046-diode.key"), | |
mode => 0640, owner => root, group => root; | |
"/etc/openvpn/keys": | |
source => "puppet://$servername/files/fw-schmidg/keys", | |
recurse => true, | |
mode => 0640, owner => root, group => root; | |
} | |
} | |
node fw-maria { | |
$nagios_parent = "router-mariatreu" | |
$ssh_port = 2200 | |
$dhcp_subnet = "192.168.1" | |
$uplink_speed = 2048 | |
$downlink_speed = 2048 | |
# stable low-load server should have a lower strastum, so we have a local | |
# master if all falls apart | |
$ntp_local_stratum = 11 | |
$ntp_servers = [ "time.inode.at", "fartein.ifi.uio.no", "ntp1.nack.at" ] | |
$bind_bindaddress = "85.125.165.66" | |
$dnsmasq_interface = 'lan' | |
$dnsmasq_listen_address = "${dhcp_subnet}.1" | |
$manage_dns = 'manual' | |
include firewall | |
# manually configured in /etc/openvpn | |
include openvpn | |
include shaper | |
# $edv_bus_ns = 'slave' | |
# include edv_bus_nameserver | |
include bind::master | |
package{ samba: ensure => installed, } | |
service{ samba: ensure => running, pattern => "[sn]mbd" } | |
config_file { "/etc/samba/smb.conf": source => "puppet://$servername/files/fw-maria/smb.conf", notify => Service["samba"] } | |
file { "/var/local/samba_netlogon": ensure => directory, mode => 0755, owner => root, group => root, before => Service["samba"] } | |
ifupdown::interface { | |
"lan": | |
ipaddress => "${dhcp_subnet}.1", | |
netmask => "255.255.255.0", | |
macaddress => "00:40:63:e9:16:2e"; | |
"lan:samba": | |
ipaddress => "${dhcp_subnet}.2", | |
netmask => "255.255.255.0"; | |
"uplink": | |
ipaddress => "85.125.165.77", | |
netmask => "255.255.255.240", | |
macaddress => "00:40:63:e9:16:2f", | |
gateway => "85.125.165.65", | |
up => [ | |
"iptables -t filter -A FORWARD -p tcp -d 85.125.165.68/32 --destination-port 25 -j ACCEPT", | |
"iptables -t filter -A FORWARD -p tcp -s 192.168.1.0/24 --destination-port 25 -j REJECT", | |
"iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o uplink -j SNAT --to 85.125.165.77" | |
], | |
down => [ | |
"iptables -t nat -D POSTROUTING -s 192.168.1.0/24 -o uplink -j SNAT --to 85.125.165.77", | |
"iptables -t filter -D FORWARD -p tcp -s 192.168.1.0/24 --destination-port 25 -j REJECT", | |
"iptables -t filter -D FORWARD -p tcp -d 85.125.165.68/32 --destination-port 25 -j ACCEPT" | |
]; | |
"uplink:1": | |
ipaddress => "85.125.165.66", | |
netmask => "255.255.255.240"; | |
} | |
bind::a2 { | |
"${fqdn}_${ipaddress}": | |
rrname => $hostname, | |
domain => $domain, | |
ip => "85.125.165.77"; | |
} | |
exim4::relay_from { [ "85.125.165.66", "85.125.165.77"]: } | |
file { "/media/externe_platte": ensure => directory } | |
mount { | |
"/media/externe_platte": | |
device => "LABEL=EXT", | |
ensure => mounted, | |
options => 'defaults', | |
fstype => 'ext3', | |
atboot => true; | |
"/var/lib/samba": | |
device => "/media/externe_platte/samba", | |
ensure => mounted, | |
options => bind, | |
atboot => true, | |
fstype => 'none', | |
require => Mount["/media/externe_platte"], | |
notify => Service["samba"], | |
} | |
## Additional IPs for Door | |
config_file { | |
"/etc/door_hosts": | |
ensure => absent; | |
"/etc/additional_hosts": | |
content => "192.168.1.124 door1\n192.168.1.125 door2\n192.168.1.126 door3\n192.168.1.123 accesspoint123\n192.168.1.122 accesspoint122\n192.168.1.121 accesspoint121\n192.168.1.3 fw-treu\n", | |
notify => Service[dnsmasq]; | |
"/etc/dnsmasq.d/additional_hosts": | |
content => "# load additional hosts into DNS:\naddn-hosts=/etc/additional_hosts\n", | |
require => File["/etc/additional_hosts"], | |
notify => Service[dnsmasq]; | |
} | |
} | |
node fw-treu { | |
$nagios_parent = "fw-maria" | |
$ssh_port = 2200 | |
#$dhcp_subnet = "192.168.130" | |
#include firewall | |
include dbp | |
include ssh::server | |
include backuppc::client | |
include david::sudo | |
ifupdown::interface { | |
"lan": | |
ipaddress => "192.168.1.3", | |
gateway => "192.168.1.1", | |
netmask => "255.255.255.0", | |
macaddress => "00:40:63:e9:1b:94"; | |
} | |
#$edv_bus_ns = 'slave' | |
#include edv_bus_nameserver | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment