From 1c50cecdb50260f764bcfcacbffd75b552a20285 Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Mon, 1 Oct 2018 10:38:25 +0200
Subject: [PATCH] adding direct ssh access on default for bastion, and
 migrating to admin domain instead of 3 different zones

---
 debian/wit-network-config.postinst | 4 ++--
 debian/wit-network-config.preinst  | 4 ++--
 files/firewall                     | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index 2ad5aaa..4a9fccd 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -24,8 +24,8 @@ case "$1" in
 
      ### START gather all the info from the box and generate the variabels
 
-	export LOOPBACKv4=$(dig a +short ${HOSTNAME})
-	export LOOPBACKv6=$(dig aaaa +short ${HOSTNAME})
+	export LOOPBACKv4=$(dig a +short loopback.${HOSTNAME})
+	export LOOPBACKv6=$(dig aaaa +short loopback.${HOSTNAME})
 	NODEASN=$(dig txt +short asn.${HOSTNAME})
 	NODEASN="${NODEASN%\"}"
 	NODEASN="${NODEASN#\"}"
diff --git a/debian/wit-network-config.preinst b/debian/wit-network-config.preinst
index 595a29d..60bcbf9 100755
--- a/debian/wit-network-config.preinst
+++ b/debian/wit-network-config.preinst
@@ -16,8 +16,8 @@ set -e
 
 case "$1" in
     install|upgrade)
-        export LOOPBACKv4=$(dig a +short ${HOSTNAME})
-        export LOOPBACKv6=$(dig aaaa +short ${HOSTNAME})
+        export LOOPBACKv4=$(dig a +short loopback.${HOSTNAME})
+        export LOOPBACKv6=$(dig aaaa +short loopback.${HOSTNAME})
         NODEASN=$(dig txt +short asn.${HOSTNAME})
         NODEASN="${NODEASN%\"}"
         NODEASN="${NODEASN#\"}"
diff --git a/files/firewall b/files/firewall
index c090f84..7e85449 100755
--- a/files/firewall
+++ b/files/firewall
@@ -21,6 +21,7 @@ case $1 in
         iptables -A INPUT                                                   -p esp                                                   -j ACCEPT   # ipsec
         iptables -A INPUT                                                   -p udp   --dport    500 --sport  500                     -j ACCEPT   # ipsec
         iptables -A INPUT                                                   -p udp   --dport   4500 --sport 4500                     -j ACCEPT   # ipsec
+        iptables -A INPUT -s 170.199.217.0                                  -p tcp   --dport     22                                  -j ACCEPT   # ssh from bastion
         iptables -A INPUT -s 170.199.217.0                                  -p udp   --sport     53                                  -j ACCEPT   # dns
         iptables -A INPUT -s 170.199.210.99                                 -p tcp   --sport    443                                  -j ACCEPT   # mirrors.wit.com
         iptables -A INPUT                                                   -p icmp                                                  -j ACCEPT