blob: 2b059cbdfe5a08e5f4c5108cbcc27abb4a4fab1b [file] [log] [blame]
Andy Bavier8d51c6c2015-04-01 11:40:22 -04001#!/bin/sh
2
3SHELL="/bin/bash"
4
Andy Baviercc27db02015-10-05 15:02:47 -04005NIC=$( route|grep default|awk '{print $NF}' )
Andy Bavier8d51c6c2015-04-01 11:40:22 -04006PORTAL=$( dig +short portal.opencloud.us )
7
8NAME="${1}"
9OP="${2}"
10SUBOP="${3}"
11ARGS="${4}"
12
13add_rule() {
Andy Baviercc27db02015-10-05 15:02:47 -040014 CHAIN=$1
15 ARGS=$2
16 iptables -C $CHAIN $ARGS
Andy Bavier8d51c6c2015-04-01 11:40:22 -040017 if [ "$?" -ne 0 ]
18 then
Andy Baviercc27db02015-10-05 15:02:47 -040019 iptables -I $CHAIN 1 $ARGS
Andy Bavier8d51c6c2015-04-01 11:40:22 -040020 fi
21}
22
23add_local_access_rules() {
24 SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
Andy Baviercc27db02015-10-05 15:02:47 -040025 PRIVATENET=$( ip addr show virbr0|grep "inet "|awk '{print $2}' )
26 add_rule "FORWARD" "-s $SUBNET -j ACCEPT"
27 # Don't NAT traffic from service VMs destined to the local subnet
28 add_rule "POSTROUTING" "-t nat -s $PRIVATENET -d $SUBNET -j RETURN"
Andy Bavier8d51c6c2015-04-01 11:40:22 -040029}
30
31add_portal_access_rules() {
Andy Baviercc27db02015-10-05 15:02:47 -040032 add_rule "FORWARD" "-s $PORTAL -j ACCEPT"
Andy Bavier8d51c6c2015-04-01 11:40:22 -040033}
34
35add_web_access_rules() {
Andy Baviercc27db02015-10-05 15:02:47 -040036 add_rule "FORWARD" "-p tcp --dport 80 -j ACCEPT"
Andy Bavier8d51c6c2015-04-01 11:40:22 -040037}
38
39if [ "$OP" = "start" ]
40then
41 add_local_access_rules
42 add_portal_access_rules
43 add_web_access_rules
Andy Baviercc27db02015-10-05 15:02:47 -040044fi