Commit 4cc8e3a0 authored by Joanne Hugé's avatar Joanne Hugé

playbook/ors: configure firewall

parent be4eea75
#!/bin/bash
# Enable ipv4 and ipv6 forwarding for core network
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# Set correct iptables rules
IF_LIST=()
CONFV4="/etc/iptables/rules.v4"
TMPV4="/tmp/rules.v4.$(date +%s)"
CONFV6="/etc/iptables/rules.v6"
TMPV6="/tmp/rules.v6.$(date +%s)"
## Get sorted list of physical network interfaces
cd /sys/class/net;
for IF in $(find . -type l -printf "%f\n"); do
# If interface is not virtual
if ! realpath $(readlink $IF) | grep -q "^/sys/devices/virtual"; then
IF_LIST+=($IF);
fi
done
IFS=$'\n' IF_LIST_SORTED=($(sort <<<"${IF_LIST[*]}"))
unset IFS
## Write target IPv4 rules
cat > $TMPV4 << EOF
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination :5353
-A POSTROUTING -p udp -m udp --sport 5353 -j SNAT --to-source :53
EOF
for IF in "${IF_LIST_SORTED[@]}"; do
cat >> $TMPV4 << EOF
-A POSTROUTING -o $IF -j MASQUERADE
EOF
done
cat >> $TMPV4 << EOF
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
EOF
## Write target IPv6 rules
cat > $TMPV6 << EOF
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
EOF
for IF in "${IF_LIST_SORTED[@]}"; do
cat >> $TMPV6 << EOF
-A POSTROUTING -o $IF -j MASQUERADE
EOF
done
cat >> $TMPV6 << EOF
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
EOF
## Reconfigure iptables if current rules doens't match target rules
touch $CONFV4 $CONFV6
if ! diff $TMPV4 $CONFV4; then
cp $TMPV4 $CONFV4
iptables-restore $CONFV4
fi
if ! diff $TMPV6 $CONFV6; then
cp $TMPV6 $CONFV6
ip6tables-restore $CONFV6
fi
rm -f $TMPV4 $TMPV6
...@@ -95,6 +95,9 @@ ...@@ -95,6 +95,9 @@
# Network # Network
- name: Configure firewall
script: configure-firewall
- name: Configure /etc/systemd/network/dhcp.network - name: Configure /etc/systemd/network/dhcp.network
copy: src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644 copy: src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644
...@@ -110,6 +113,12 @@ ...@@ -110,6 +113,12 @@
- name: Configure dhcp timeout - name: Configure dhcp timeout
lineinfile: dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present lineinfile: dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present
- name: Configure IPv4 forwarding
lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.conf.all.forwarding=(.*)" line="net.ipv4.conf.all.forwarding=1" state=present
- name: Configure IPv6 forwarding
lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv6.conf.all.forwarding=(.*)" line="net.ipv6.conf.all.forwarding=1" state=present
- name: Disable dnsmasq service - name: Disable dnsmasq service
systemd: name=dnsmasq.service enabled=no state=stopped systemd: name=dnsmasq.service enabled=no state=stopped
......
6f816c3e09af4f17f266a55b1e0a91c844110239bb877e60a6d5087b7ce5fd73 - c9c155e4524525b7e4c89cc9252311351a59f25e55bd85ce75bc3c966951d133 -
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment