kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Activity

bundles/postfix: add iptables config

Browse source
This commit is contained in:
Franzi 2021-03-21 11:11:49 +01:00
parent c9f008ad82
commit 5775001301
Signed by: kunsi
GPG key ID: 12E3D2136B818350
3 changed files with 27 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bundles/postfix/files/main.cf
View file

@ -6,7 +6,7 @@ compatibility_level = 2
myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])} myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
myorigin = /etc/mailname myorigin = /etc/mailname
mydestination = $myhostname, localhost mydestination = $myhostname, localhost
mynetworks = ${' '.join(sorted(node.metadata.get('postfix/mynetworks')))} mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))}
mailbox_size_limit = 0 mailbox_size_limit = 0
recipient_delimiter = + recipient_delimiter = +
inet_protocols = all inet_protocols = all

33
bundles/postfix/metadata.py
View file

@ -1,3 +1,5 @@
from bundlewrap.metadata import atomic
defaults = { defaults = {
'apt': { 'apt': {
'packages': { 'packages': {
@ -16,13 +18,6 @@ defaults = {
}, },
}, },
}, },
'postfix': {
'mynetworks': {
'127.0.0.0/8',
'[::ffff:127.0.0.0]/104',
'[::1]/128',
},
},
} }
if node.has_bundle('postfixadmin'): if node.has_bundle('postfixadmin'):
@ -72,3 +67,27 @@ def letsencrypt(metadata):
return { return {
'letsencrypt': result, 'letsencrypt': result,
} }
@metadata_reactor.provides(
'iptables/port_rules/25',
'iptables/port_rules/587',
)
def iptables(metadata):
if node.has_bundle('postfixadmin'):
default = set('*')
else:
default = metadata.get('postfix/mynetworks', set())
rules = {
'25': atomic(metadata.get('postfix/restrict-to', default)),
}
if node.has_bundle('postfixadmin'):
rules['587'] = atomic(metadata.get('postfix/restrict-to', default))
return {
'iptables': {
'port_rules': rules,
},
}

3
nodes/home/router.py
View file

@ -91,9 +91,6 @@ nodes['home.router'] = {
'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22', 'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT', 'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
# Allow mail from internal network
'iptables_both -A INPUT -s 172.19.138.0/24 -p tcp --dport 25 -j ACCEPT',
# use MASQUERADE for tun0 (c3voc) # use MASQUERADE for tun0 (c3voc)
'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE', 'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',