--- /dev/null
+Notes about vagrant-salt usage
+==============================
+
+Documentation links
+-------------------
+
+* https://docs.saltstack.com/en/latest/topics/tutorials/quickstart.html
+ Salt masterless quickstart
+
+
+Quick commands
+--------------
+
+* Start a VM::
+
+ vagrant up
+
+* SSH into a VM::
+
+ vagrant ssh gateway
+ vagrant ssh testvm
+
+* Destroy a VM::
+
+ vagrant destroy
+
+* Apply salt configuration (in an SSH session)::
+
+ sudo salt-call --local state.highstate
+
+* Apply a specfic .sls file::
+
+ sudo salt-call --local state.sls common.packages
+
+* List the current grains::
+
+ sudo salt-call --local grains.ls
+ sudo salt-call --local grains.items
+
+
+Random notes during the development of the project
+--------------------------------------------------
+
+* Architecture: a test VM is installed with a fully functionnal mailing system. It is connected to a `gateway` VM which filters almost everything:
+
+ - HTTP communications are forwarded (to allow installing packets)
+ - emails are never forwarded but stored on the VM
+ - every other TCP and UDP ports are filtered
+
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure(2) do |config|
- config.vm.box = "debian/jessie64"
- config.vm.network "private_network", ip: "192.168.33.10"
- config.vm.synced_folder "salt/", "/srv/salt"
+ # Filtering gateway of the virtual machine
+ config.vm.define :gateway do |gateway_config|
+ gateway_config.vm.box = "debian/jessie64"
+ gateway_config.vm.host_name = "gateway"
+ gateway_config.vm.network "private_network", ip: "192.168.33.2"
+ gateway_config.vm.synced_folder "salt/", "/srv/salt"
- config.vm.provision :salt do |salt|
- salt.minion_config = "saltconfig"
- salt.install_type = "stable"
- #salt.run_highstate = true
- salt.masterless = true
- salt.verbose = true
- salt.colorize = true
- # https://github.com/mitchellh/vagrant/issues/5973#issuecomment-137276605
- salt.bootstrap_options = "-F -c /tmp/ -P"
+ gateway_config.vm.provision :salt do |salt|
+ salt.minion_config = "saltconfig"
+ salt.install_type = "stable"
+ salt.masterless = true
+ salt.verbose = true
+ salt.colorize = true
+ # https://github.com/mitchellh/vagrant/issues/5973#issuecomment-137276605
+ salt.bootstrap_options = "-F -c /tmp/ -P"
+ end
+ end
+
+ # Test virtual machine to run things
+ config.vm.define :testvm do |testvm_config|
+ testvm_config.vm.box = "debian/jessie64"
+ testvm_config.vm.host_name = "testvm"
+ testvm_config.vm.network "private_network", ip: "192.168.33.10"
+ testvm_config.vm.synced_folder "salt/", "/srv/salt"
+
+ # Change the default route to the gateway VM
+ testvm_config.vm.provision "shell",
+ inline: "sudo ip route delete default ; sudo ip route add default via 192.168.33.2"
+
+ testvm_config.vm.provision :salt do |salt|
+ salt.minion_config = "saltconfig"
+ salt.install_type = "stable"
+ salt.masterless = true
+ salt.verbose = true
+ salt.colorize = true
+ salt.bootstrap_options = "-F -c /tmp/ -P"
+ end
end
end
--- /dev/null
+# Forwarding configuration
+iptables-persistent:
+ pkg.installed
+
+netfilter-persistent:
+ service.running:
+ - require:
+ - pkg: iptables-persistent
+
+/etc/iptables/rules.v4:
+ file.managed:
+ - source : salt://gateway/iptables.rules
+ - makedirs: True
+ - watch_in:
+ - service: netfilter-persistent
+
+/etc/iptables/rules.v6:
+ file.symlink:
+ - target : rules.v4
+ - force : True
+ - watch_in:
+ - service: netfilter-persistent
+
+net.ipv4.conf.all.forwarding:
+ sysctl.present:
+ - value: 1
--- /dev/null
+include:
+ - .forwarding
--- /dev/null
+# Gateway firwall configuration
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Trust local loopback
+-A INPUT -i lo -j ACCEPT
+
+# Drop invalid packets
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# Accept everything on ICMP
+-4 -A INPUT -p icmp -j ACCEPT
+-6 -A INPUT -p ipv6-icmp -j ACCEPT
+
+# Drop DHCP requests but accept answers
+-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
+-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+
+-A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# Accept SSH, SMTP
+-A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT
+
+# Accept DNS, NTP
+-A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT
+
+# Log and drop
+-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "
+
+# Forwarding rules between private network (eth1) and public one (eth0)
+# Forward pings
+-4 -A FORWARD -p icmp -j ACCEPT
+-6 -A FORWARD -p ipv6-icmp -j ACCEPT
+
+# Forward HTTP, HTTPS
+-4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
+-4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# NAT the external interface when forwarding from the private network
+-A POSTROUTING -o eth0 -j MASQUERADE
+COMMIT
base:
'*':
- common
+ {% if grains['fqdn'] == 'gateway' %}
+ - gateway
+ {% endif %}
projects / vagrant-mail.git / commitdiff