Commit 1a63a56f authored by Joanne Hugé's avatar Joanne Hugé

playbook/ors: add iptables rules and disable dns stub

parent 38020ebe
Pipeline #28302 failed with stage
in 0 seconds
source /etc/network/interfaces.d/*
auto lo auto lo
iface lo inet loopback iface lo inet loopback
...@@ -7,10 +5,16 @@ auto enp2s0 ...@@ -7,10 +5,16 @@ auto enp2s0
iface enp2s0 inet dhcp iface enp2s0 inet dhcp
post-up echo 1 > /proc/sys/net/ipv4/conf/all/forwarding post-up echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
post-up iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE post-up iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
post-up iptables -t nat -A POSTROUTING -p udp -m udp --sport 5353 -j SNAT --to-source :53
post-up iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination :5353
post-up ip6tables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE post-up ip6tables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
auto enp0s31f6 auto enp0s31f6
iface enp0s31f6 inet dhcp iface enp0s31f6 inet dhcp
post-up echo 1 > /proc/sys/net/ipv4/conf/all/forwarding post-up echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
post-up iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE post-up iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
post-up iptables -t nat -A POSTROUTING -p udp -m udp --sport 5353 -j SNAT --to-source :53
post-up iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination :5353
post-up ip6tables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE post-up ip6tables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
source /etc/network/interfaces.d/*
...@@ -122,6 +122,46 @@ ...@@ -122,6 +122,46 @@
- name: Copy keys for SR - name: Copy keys for SR
copy: src=/root/.amarisoft dest=/opt/amarisoft owner=root mode=644 copy: src=/root/.amarisoft dest=/opt/amarisoft owner=root mode=644
ignore_errors: yes
- name: Add kernel parameter - name: Add kernel parameter
script: configure-grub script: configure-grub
- name: Disable DNS stub resolver
lineinfile: dest=/etc/systemd/resolved.conf regexp="(.*)DNSStubListener=(.*)" line="DNSStubListener=no" state=present
register: disable_dns_stub
- name: Create resolv symbolic link
file:
src: /run/systemd/resolve/resolv.conf
dest: /etc/resolv.conf
state: link
force: true
register: create_resolv_link
- name: Restart systemd-resolved.service if necessary
systemd: name=systemd-resolved.service enabled=yes state=restarted
when: (disable_dns_stub.changed) or (create_resolv_link.changed)
- name: Enable and start systemd-resolved.service
systemd: name=systemd-resolved.service enabled=yes state=started
- name: Redirect 53 to 5353
ansible.builtin.iptables:
chain: PREROUTING
table: nat
protocol: udp
match: udp
jump: DNAT
destination_port: 53
to_destination: ':5353'
- name: Redirect 5353 to 53
ansible.builtin.iptables:
chain: POSTROUTING
table: nat
protocol: udp
match: udp
jump: SNAT
source_port: 5353
to_source: ':53'
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment