From b285305fe17daf3e0dd39ce2ead5ac3f16173cef Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 2 Oct 2017 11:18:16 +0200 Subject: [PATCH] Add role network-iptables-gateway - move netfilter specific sysctl settings --- inventory/group_vars/all | 3 ++ playbooks/gateways.yml | 1 + roles/network-iptables-gateway/README.md | 29 ++++++++++++++ .../handlers/main.yml | 6 +++ roles/network-iptables-gateway/tasks/main.yml | 35 +++++++++++++++++ .../templates/rules.v4.j2 | 38 +++++++++++++++++++ .../templates/rules.v6.j2 | 31 +++++++++++++++ roles/network-iptables-gateway/vars/main.yml | 6 +++ roles/system-sysctl-gateway/vars/main.yml | 4 -- 9 files changed, 149 insertions(+), 4 deletions(-) create mode 100644 roles/network-iptables-gateway/README.md create mode 100644 roles/network-iptables-gateway/handlers/main.yml create mode 100644 roles/network-iptables-gateway/tasks/main.yml create mode 100644 roles/network-iptables-gateway/templates/rules.v4.j2 create mode 100644 roles/network-iptables-gateway/templates/rules.v6.j2 create mode 100644 roles/network-iptables-gateway/vars/main.yml diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 3c0a1b6..1c841da 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -2,6 +2,9 @@ as_private_mwu: 65037 as_public_ffrl: 201701 +internet_exit_mtu_ipv4: 1240 +internet_exit_mtu_ipv6: 1220 + routing_tables: icvpn: 23 mwu: 41 diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 3ae578b..e8b18ea 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -19,6 +19,7 @@ - service-fastd-intragate - git-fastd-peers - network-fastd + - network-iptables-gateway - network-ffrl - service-tinc - service-bird diff --git a/roles/network-iptables-gateway/README.md b/roles/network-iptables-gateway/README.md new file mode 100644 index 0000000..75cc545 --- /dev/null +++ b/roles/network-iptables-gateway/README.md @@ -0,0 +1,29 @@ +# Ansible role network-iptables-gateway + +Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways. + +- installiert iptables+iptables-persistent +- schreibt rules.v4 + rules.v6 +- setzt netfilter sysctl parameter + +## Benötigte Variablen + +- List `sysctl_settings_netfilter` (Rollen Variable) +´´´ +sysctl_settings_netfilter: + - name: # sysctl-Parameter + value: # zu setzender Wert + +´´´ +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv4_network: +... + +´´´ +- Variable `internet_exit_mtu_ipv4` +- Variable `internet_exit_mtu_ipv6` +- Host Variable `ffrl_public_ipv4_nat` diff --git a/roles/network-iptables-gateway/handlers/main.yml b/roles/network-iptables-gateway/handlers/main.yml new file mode 100644 index 0000000..5dfa033 --- /dev/null +++ b/roles/network-iptables-gateway/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: iptables-restore + shell: iptables-restore < /etc/iptables/rules.v4 + +- name: ip6tables-restore + shell: ip6tables-restore < /etc/iptables/rules.v6 diff --git a/roles/network-iptables-gateway/tasks/main.yml b/roles/network-iptables-gateway/tasks/main.yml new file mode 100644 index 0000000..93eed04 --- /dev/null +++ b/roles/network-iptables-gateway/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: install iptables packages + apt: + name: "{{ item }}" + state: present + with_items: + - iptables + - iptables-persistent + +- name: load netfilter modules + modprobe: + name: "{{ item }}" + state: present + with_items: + - nf_conntrack + - nf_conntrack_ipv4 + +- name: set netfilter sysctl settings + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + with_items: "{{ sysctl_settings_netfilter }}" + +- name: write iptables configuration + template: + src: rules.v4.j2 + dest: /etc/iptables/rules.v4 + notify: iptables-restore + +- name: write ip6tables configuration + template: + src: rules.v6.j2 + dest: /etc/iptables/rules.v6 + notify: ip6tables-restore diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 new file mode 100644 index 0000000..b3f0cce --- /dev/null +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -0,0 +1,38 @@ +# +# {{ ansible_managed }} +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +{% for mesh_id, mesh_value in meshes.iteritems() %} +-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% endfor %} +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT +-A OUTPUT -m conntrack --ctstate INVALID -j DROP +-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv4 }} +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:ffrl-nat - [0:0] +{% for mesh_id, mesh_value in meshes.iteritems() %} +-A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat +{% endfor %} +-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat }} +COMMIT diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 new file mode 100644 index 0000000..fbc36ab --- /dev/null +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -0,0 +1,31 @@ +# +# {{ ansible_managed }} +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +{% for mesh_id, mesh_value in meshes.iteritems() %} +-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% endfor %} +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m conntrack --ctstate INVALID -j DROP +-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv6 }} +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/roles/network-iptables-gateway/vars/main.yml b/roles/network-iptables-gateway/vars/main.yml new file mode 100644 index 0000000..1d44152 --- /dev/null +++ b/roles/network-iptables-gateway/vars/main.yml @@ -0,0 +1,6 @@ +--- +sysctl_settings_netfilter: + - name: net.netfilter.nf_conntrack_tcp_timeout_established + value: 86400 + - name: net.netfilter.nf_conntrack_max + value: 262140 diff --git a/roles/system-sysctl-gateway/vars/main.yml b/roles/system-sysctl-gateway/vars/main.yml index c0e4223..648b476 100644 --- a/roles/system-sysctl-gateway/vars/main.yml +++ b/roles/system-sysctl-gateway/vars/main.yml @@ -12,10 +12,6 @@ sysctl_settings_gateway: value: 2048 - name: net.ipv4.neigh.default.gc_thresh3 value: 4096 - - name: net.netfilter.nf_conntrack_tcp_timeout_established - value: 86400 - - name: net.netfilter.nf_conntrack_max - value: 262140 - name: net.ipv6.conf.all.forwarding value: 1 - name: net.ipv6.conf.all.autoconf