From f1d4913ebcd8381c197feddb871ec3fa81002843 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Sat, 19 Oct 2024 13:57:23 +0200
Subject: [PATCH] allow everything between cluster nodes

The script will set the same firewall on all nodes.

Closes infrastructure/documentation#32
---
 README.md | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 3e0aede..b9ee6e5 100644
--- a/README.md
+++ b/README.md
@@ -74,16 +74,34 @@ sudo ufw default allow incoming
 sudo ufw default allow outgoing
 sudo ufw default allow routed
 
-ips="88.198.58.177 2a01:4f8:222:507::2" # host specific
+interface=enp5s0
 
-for host_ip in $ips ; do
-  sudo ufw allow to $host_ip  port 22 proto tcp
-  sudo ufw deny to $host_ip
+function internode() {
+  for from in $@ ; do
+    for to in $@ ; do
+	  if test $from != $to ; then
+	    sudo ufw allow in on $interface from $from to $to
+	  fi
+	done
+  done
+}
+
+ipv4="65.108.204.171 88.198.58.177"
+internode $ipv4
+
+ipv6="2a01:4f9:1a:a082::2 2a01:4f8:222:507::2"
+internode $ipv6
+
+for host_ip in $ipv4 $ipv6 ; do
+  sudo ufw allow in on $interface to $host_ip port 22 proto tcp
+  sudo ufw deny in on $interface log-all to $host_ip
 done
 
-for public_ip in 188.40.16.47 2a01:4f8:fff2:48::2 ; do
-  sudo ufw allow to $public_ip  port 22,80,443,2000:3000 proto tcp
-  sudo ufw deny to $public_ip
+failover="188.40.16.47 2a01:4f8:fff2:48::2"
+
+for public_ip in $failover ; do
+  sudo ufw allow in on $interface to $public_ip  port 22,80,443,2000:3000 proto tcp
+  sudo ufw deny in on $interface log-all to $public_ip
 done
 ```