Commit fc4992e7 authored by Joanne Hugé's avatar Joanne Hugé

playbook/ors: configure firewall

parent e4f41c3c
#!/bin/bash
# Enable ipv4 and ipv6 forwarding for core network
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# Set correct iptables rules
mkdir -p /etc/iptables
IF_LIST=()
CONFV4="/etc/iptables/rules.v4"
TMPV4="/tmp/rules.v4.$(date +%s)"
CONFV6="/etc/iptables/rules.v6"
TMPV6="/tmp/rules.v6.$(date +%s)"
## Get sorted list of physical network interfaces
cd /sys/class/net;
for IF in $(find . -type l -printf "%f\n"); do
# If interface is not virtual
if ! realpath $(readlink $IF) | grep -q "^/sys/devices/virtual"; then
IF_LIST+=($IF);
fi
done
IFS=$'\n' IF_LIST_SORTED=($(sort <<<"${IF_LIST[*]}"))
unset IFS
## Write target IPv4 rules
cat > $TMPV4 << EOF
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination :5353
-A POSTROUTING -p udp -m udp --sport 5353 -j SNAT --to-source :53
EOF
for IF in "${IF_LIST_SORTED[@]}"; do
cat >> $TMPV4 << EOF
-A POSTROUTING -o $IF -j MASQUERADE
EOF
done
cat >> $TMPV4 << EOF
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
EOF
## Write target IPv6 rules
cat > $TMPV6 << EOF
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
EOF
for IF in "${IF_LIST_SORTED[@]}"; do
cat >> $TMPV6 << EOF
-A POSTROUTING -o $IF -j MASQUERADE
EOF
done
cat >> $TMPV6 << EOF
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
EOF
## Reconfigure iptables if current rules doens't match target rules
touch $CONFV4 $CONFV6
if ! diff $TMPV4 $CONFV4; then
cp $TMPV4 $CONFV4
iptables-restore $CONFV4
fi
if ! diff $TMPV6 $CONFV6; then
cp $TMPV6 $CONFV6
ip6tables-restore $CONFV6
fi
rm -f $TMPV4 $TMPV6
...@@ -4,3 +4,4 @@ dependencies: ...@@ -4,3 +4,4 @@ dependencies:
- { role: package, package_name: patchelf, package_state: present } - { role: package, package_name: patchelf, package_state: present }
- { role: package, package_name: util-linux, package_state: present } - { role: package, package_name: util-linux, package_state: present }
- { role: package, package_name: grub-efi-amd64-signed, package_state: present } - { role: package, package_name: grub-efi-amd64-signed, package_state: present }
- { role: package, package_name: iptables-persistent, package_state: present }
...@@ -95,6 +95,9 @@ ...@@ -95,6 +95,9 @@
# Network # Network
- name: Configure firewall
script: configure-firewall
- name: Configure /etc/systemd/network/dhcp.network - name: Configure /etc/systemd/network/dhcp.network
copy: src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644 copy: src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644
...@@ -116,6 +119,12 @@ ...@@ -116,6 +119,12 @@
- name: Configure dhcp timeout - name: Configure dhcp timeout
lineinfile: dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present lineinfile: dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present
- name: Configure IPv4 forwarding
lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.conf.all.forwarding=(.*)" line="net.ipv4.conf.all.forwarding=1" state=present
- name: Configure IPv6 forwarding
lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv6.conf.all.forwarding=(.*)" line="net.ipv6.conf.all.forwarding=1" state=present
- name: Disable dnsmasq service - name: Disable dnsmasq service
systemd: name=dnsmasq.service enabled=no state=stopped systemd: name=dnsmasq.service enabled=no state=stopped
......
956c7348e0e5264fd18a9bffadf143b43f1f8ea8a1bd426c5ef63d5296b75fc8 - 854b576529267f942a8fc70331c440bd16e3a8256ec3824b5454a60ab71c127b -
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment