blob: 9d20379f12f75c65d4477b46a4b3e3f9fd68158b [file] [log] [blame]
Zack Williams3db3b962016-03-01 21:59:25 -07001#!/bin/sh
2
3SHELL="/bin/bash"
4
5NIC=$( route|grep default|awk '{print $NF}' )
6PORTAL=$( dig +short portal.opencloud.us | tail -1 )
7
Zack Williams81470de2016-04-11 12:44:38 -07008SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
9{% set vm_net = ( virt_nets | selectattr("head_vms", "defined") | first ) %}
10PRIVATENET=$( ip addr show {{ vm_net.name }} |grep "inet "|awk '{print $2}' )
11
Zack Williams3db3b962016-03-01 21:59:25 -070012NAME="${1}"
13OP="${2}"
14SUBOP="${3}"
15ARGS="${4}"
16
17add_rule() {
18 CHAIN=$1
19 ARGS=$2
20 iptables -C $CHAIN $ARGS
21 if [ "$?" -ne 0 ]
22 then
23 iptables -I $CHAIN 1 $ARGS
24 fi
25}
26
27add_local_access_rules() {
Zack Williams3db3b962016-03-01 21:59:25 -070028 add_rule "FORWARD" "-s $SUBNET -j ACCEPT"
29 # Don't NAT traffic from service VMs destined to the local subnet
30 add_rule "POSTROUTING" "-t nat -s $PRIVATENET -d $SUBNET -j RETURN"
31}
32
33add_portal_access_rules() {
34 add_rule "FORWARD" "-s $PORTAL -j ACCEPT"
35}
36
37add_web_access_rules() {
38 add_rule "FORWARD" "-p tcp --dport 80 -j ACCEPT"
39}
40
41if [ "$OP" = "start" ]
42then
43 add_local_access_rules
44 add_portal_access_rules
45 add_web_access_rules
46fi