forked from stove/dataset
58 lines
3.2 KiB
Desktop File
58 lines
3.2 KiB
Desktop File
[Unit]
|
|
Description=Firewall for Risotto
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
{% set ns = namespace(has_rules=False, incoming_ports={"tcp": {}, "udp": {}}) %}
|
|
{% for dns in machined.machines %}
|
|
{% set machine = dns|normalize_family %}
|
|
{% set outgoing = machined["machine_" + machine]["outgoing_ports_" + machine] %}
|
|
{% if outgoing %}
|
|
{% set ip = machined["machine_" + machine]["ip_" + machine] %}
|
|
{% for port in outgoing %}
|
|
{% if ":" in port %}
|
|
{% set protocol, port = port.split(":") %}
|
|
{% else %}
|
|
{% set protocol = "tcp" %}
|
|
{% endif %}
|
|
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
|
|
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
|
|
{% set ns.has_rules = True %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% set incoming = machined["machine_" + machine]["incoming_ports_" + machine] %}
|
|
{% for port in incoming %}
|
|
{% if ":" in port %}
|
|
{% set protocol, port = port.split(":") %}
|
|
{% else %}
|
|
{% set protocol = "tcp" %}
|
|
{% endif %}
|
|
{% if port in ns.incoming_ports[protocol] %}
|
|
{% set msg = 'the port "' + port + '" cannot be deployed for multiple machines: "' + dns + '" and "' + ns.incoming_ports[protocol][port] + '"' %}
|
|
{{ msg|raise }}
|
|
{% endif %}
|
|
{% set x=ns.incoming_ports.__getitem__(protocol).__setitem__(port, dns) %}
|
|
{% endfor %}
|
|
{% endfor %}
|
|
{% if not ns.has_rules %}
|
|
ExecStart=/usr/bin/echo "No rule"
|
|
{% endif %}
|
|
#FIXME
|
|
ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
|
|
ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
|
|
ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
|
|
ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
|
|
ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
|
|
#FIXME
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|