From 8de79ad033b244e9818873b0eb2b7df9ea4ccf62 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss_git@polytechnique.org>
Date: Sat, 17 Oct 2015 10:29:11 +0200
Subject: [PATCH] Create a 2-VMs architecture

---
 test-vagrant-salt/NOTES.rst                   | 49 ++++++++++++++++++++++++++
 test-vagrant-salt/Vagrantfile                 | 48 ++++++++++++++++++-------
 test-vagrant-salt/salt/gateway/forwarding.sls | 26 ++++++++++++++
 test-vagrant-salt/salt/gateway/init.sls       |  2 ++
 test-vagrant-salt/salt/gateway/iptables.rules | 50 +++++++++++++++++++++++++++
 test-vagrant-salt/salt/top.sls                |  3 ++
 6 files changed, 166 insertions(+), 12 deletions(-)
 create mode 100644 test-vagrant-salt/NOTES.rst
 create mode 100644 test-vagrant-salt/salt/gateway/forwarding.sls
 create mode 100644 test-vagrant-salt/salt/gateway/init.sls
 create mode 100644 test-vagrant-salt/salt/gateway/iptables.rules

diff --git a/test-vagrant-salt/NOTES.rst b/test-vagrant-salt/NOTES.rst
new file mode 100644
index 0000000..04ab60e
--- /dev/null
+++ b/test-vagrant-salt/NOTES.rst
@@ -0,0 +1,49 @@
+Notes about vagrant-salt usage
+==============================
+
+Documentation links
+-------------------
+
+* https://docs.saltstack.com/en/latest/topics/tutorials/quickstart.html
+  Salt masterless quickstart
+
+
+Quick commands
+--------------
+
+* Start a VM::
+
+    vagrant up
+
+* SSH into a VM::
+
+    vagrant ssh gateway
+    vagrant ssh testvm
+
+* Destroy a VM::
+
+    vagrant destroy
+
+* Apply salt configuration (in an SSH session)::
+
+    sudo salt-call --local state.highstate
+
+* Apply a specfic .sls file::
+
+    sudo salt-call --local state.sls common.packages
+
+* List the current grains::
+
+    sudo salt-call --local grains.ls
+    sudo salt-call --local grains.items
+
+
+Random notes during the development of the project
+--------------------------------------------------
+
+* Architecture: a test VM is installed with a fully functionnal mailing system.  It is connected to a `gateway` VM which filters almost everything:
+
+    - HTTP communications are forwarded (to allow installing packets)
+    - emails are never forwarded but stored on the VM
+    - every other TCP and UDP ports are filtered
+
diff --git a/test-vagrant-salt/Vagrantfile b/test-vagrant-salt/Vagrantfile
index 3565641..1b3de82 100644
--- a/test-vagrant-salt/Vagrantfile
+++ b/test-vagrant-salt/Vagrantfile
@@ -6,18 +6,42 @@
 # backwards compatibility). Please don't change it unless you know what
 # you're doing.
 Vagrant.configure(2) do |config|
-  config.vm.box = "debian/jessie64"
-  config.vm.network "private_network", ip: "192.168.33.10"
-  config.vm.synced_folder "salt/", "/srv/salt"
+  # Filtering gateway of the virtual machine
+  config.vm.define :gateway do |gateway_config|
+    gateway_config.vm.box = "debian/jessie64"
+    gateway_config.vm.host_name = "gateway"
+    gateway_config.vm.network "private_network", ip: "192.168.33.2"
+    gateway_config.vm.synced_folder "salt/", "/srv/salt"
 
-  config.vm.provision :salt do |salt|
-    salt.minion_config = "saltconfig"
-    salt.install_type = "stable"
-    #salt.run_highstate = true
-    salt.masterless = true
-    salt.verbose = true
-    salt.colorize = true
-    # https://github.com/mitchellh/vagrant/issues/5973#issuecomment-137276605
-    salt.bootstrap_options = "-F -c /tmp/ -P"
+    gateway_config.vm.provision :salt do |salt|
+      salt.minion_config = "saltconfig"
+      salt.install_type = "stable"
+      salt.masterless = true
+      salt.verbose = true
+      salt.colorize = true
+      # https://github.com/mitchellh/vagrant/issues/5973#issuecomment-137276605
+      salt.bootstrap_options = "-F -c /tmp/ -P"
+    end
+  end
+
+  # Test virtual machine to run things
+  config.vm.define :testvm do |testvm_config|
+    testvm_config.vm.box = "debian/jessie64"
+    testvm_config.vm.host_name = "testvm"
+    testvm_config.vm.network "private_network", ip: "192.168.33.10"
+    testvm_config.vm.synced_folder "salt/", "/srv/salt"
+
+    # Change the default route to the gateway VM
+    testvm_config.vm.provision "shell",
+      inline: "sudo ip route delete default ; sudo ip route add default via 192.168.33.2"
+
+    testvm_config.vm.provision :salt do |salt|
+      salt.minion_config = "saltconfig"
+      salt.install_type = "stable"
+      salt.masterless = true
+      salt.verbose = true
+      salt.colorize = true
+      salt.bootstrap_options = "-F -c /tmp/ -P"
+    end
   end
 end
diff --git a/test-vagrant-salt/salt/gateway/forwarding.sls b/test-vagrant-salt/salt/gateway/forwarding.sls
new file mode 100644
index 0000000..762b822
--- /dev/null
+++ b/test-vagrant-salt/salt/gateway/forwarding.sls
@@ -0,0 +1,26 @@
+# Forwarding configuration
+iptables-persistent:
+  pkg.installed
+
+netfilter-persistent:
+  service.running:
+    - require:
+      - pkg: iptables-persistent
+
+/etc/iptables/rules.v4:
+  file.managed:
+    - source : salt://gateway/iptables.rules
+    - makedirs: True
+    - watch_in:
+      - service: netfilter-persistent
+
+/etc/iptables/rules.v6:
+  file.symlink:
+    - target : rules.v4
+    - force : True
+    - watch_in:
+      - service: netfilter-persistent
+
+net.ipv4.conf.all.forwarding:
+  sysctl.present:
+    - value: 1
diff --git a/test-vagrant-salt/salt/gateway/init.sls b/test-vagrant-salt/salt/gateway/init.sls
new file mode 100644
index 0000000..6c6003e
--- /dev/null
+++ b/test-vagrant-salt/salt/gateway/init.sls
@@ -0,0 +1,2 @@
+include:
+  - .forwarding
diff --git a/test-vagrant-salt/salt/gateway/iptables.rules b/test-vagrant-salt/salt/gateway/iptables.rules
new file mode 100644
index 0000000..612f07b
--- /dev/null
+++ b/test-vagrant-salt/salt/gateway/iptables.rules
@@ -0,0 +1,50 @@
+# Gateway firwall configuration
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Trust local loopback
+-A INPUT -i lo -j ACCEPT
+
+# Drop invalid packets
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# Accept everything on ICMP
+-4 -A INPUT -p icmp -j ACCEPT
+-6 -A INPUT -p ipv6-icmp -j ACCEPT
+
+# Drop DHCP requests but accept answers
+-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
+-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+
+-A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# Accept SSH, SMTP
+-A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT
+
+# Accept DNS, NTP
+-A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT
+
+# Log and drop
+-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "
+
+# Forwarding rules between private network (eth1) and public one (eth0)
+# Forward pings
+-4 -A FORWARD -p icmp -j ACCEPT
+-6 -A FORWARD -p ipv6-icmp -j ACCEPT
+
+# Forward HTTP, HTTPS
+-4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
+-4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# NAT the external interface when forwarding from the private network
+-A POSTROUTING -o eth0 -j MASQUERADE
+COMMIT
diff --git a/test-vagrant-salt/salt/top.sls b/test-vagrant-salt/salt/top.sls
index 133c807..294daf9 100644
--- a/test-vagrant-salt/salt/top.sls
+++ b/test-vagrant-salt/salt/top.sls
@@ -1,3 +1,6 @@
 base:
   '*':
     - common
+    {% if grains['fqdn'] == 'gateway' %}
+    - gateway
+    {% endif %}
-- 
2.1.4