From 1855169a42d0bdd32746c2971755c43f52ac9e16 Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Sun, 4 Nov 2018 21:13:13 +0100
Subject: [PATCH] adding bastion firewall rules to all firewalls. this is
 precausion so that we have the blocking rules in any event. the rest of
 bastion gets deployed through ansible but since if ansible gets forgotton or
 other things happen this will make sure the most critical things are there

---
 files/firewall | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/files/firewall b/files/firewall
index 43c7869..634a332 100755
--- a/files/firewall
+++ b/files/firewall
@@ -46,11 +46,26 @@ case $1 in
         iptables -P INPUT DROP
 
 
+       ## some rules for bastion boxes to protect the mgmt networks
+        iptables -F FORWARD
+        iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED      -j ACCEPT
+        iptables -A FORWARD -o mgmtgw1 -j DROP
+        iptables -A FORWARD -i ipmigw1 -j DROP
+        iptables -A FORWARD -o ipmigw1 -j DROP
+
+
        #special tables
         iptables -t mangle -F
         iptables -t nat -F
         iptables -t raw -F
 
+
+       # this matters only on bastion boxes
+        iptables -t raw -A PREROUTING -i mgmtgw1  -j ACCEPT
+        iptables -t raw -A OUTPUT     -o mgmtgw1  -j ACCEPT
+        iptables -t raw -A PREROUTING -i ipmigw1  -j ACCEPT
+        iptables -t raw -A OUTPUT     -o ipmigw1  -j ACCEPT
+       # this matters on all boxes
         iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
         iptables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
         iptables -t raw -A PREROUTING          -j NOTRACK
@@ -85,15 +100,30 @@ case $1 in
         ip6tables -P INPUT DROP
 
 
+       ## some rules for bastion boxes to protect the mgmt networks
+        ip6tables -F FORWARD
+        ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED      -j ACCEPT
+        ip6tables -A FORWARD -o mgmtgw1 -j DROP
+        ip6tables -A FORWARD -i ipmigw1 -j DROP
+        ip6tables -A FORWARD -o ipmigw1 -j DROP
+
+
        #special tables
         ip6tables -t mangle -F
         ip6tables -t nat -F
         ip6tables -t raw -F
 
-        ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
-        ip6tables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
-        ip6tables -t raw -A PREROUTING          -j NOTRACK
-        ip6tables -t raw -A OUTPUT              -j NOTRACK
+
+       # this matters only on bastion boxes
+        ip6tables -t raw -A PREROUTING -i mgmtgw1  -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmtgw1  -j ACCEPT
+        ip6tables -t raw -A PREROUTING -i ipmigw1  -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o ipmigw1  -j ACCEPT
+       # this matters on all boxes
+        ip6tables -t raw -A PREROUTING -i mgmt1    -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmt     -j ACCEPT
+        ip6tables -t raw -A PREROUTING             -j NOTRACK
+        ip6tables -t raw -A OUTPUT                 -j NOTRACK
 
 
        #some boxes get special addon rules