Add role network-iptables-gateway

- move netfilter specific sysctl settings
This commit is contained in:
Tobias Hachmer 2017-10-02 11:18:16 +02:00
parent 4596743a56
commit b285305fe1
9 changed files with 149 additions and 4 deletions

View file

@ -2,6 +2,9 @@
as_private_mwu: 65037 as_private_mwu: 65037
as_public_ffrl: 201701 as_public_ffrl: 201701
internet_exit_mtu_ipv4: 1240
internet_exit_mtu_ipv6: 1220
routing_tables: routing_tables:
icvpn: 23 icvpn: 23
mwu: 41 mwu: 41

View file

@ -19,6 +19,7 @@
- service-fastd-intragate - service-fastd-intragate
- git-fastd-peers - git-fastd-peers
- network-fastd - network-fastd
- network-iptables-gateway
- network-ffrl - network-ffrl
- service-tinc - service-tinc
- service-bird - service-bird

View file

@ -0,0 +1,29 @@
# Ansible role network-iptables-gateway
Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways.
- installiert iptables+iptables-persistent
- schreibt rules.v4 + rules.v6
- setzt netfilter sysctl parameter
## Benötigte Variablen
- List `sysctl_settings_netfilter` (Rollen Variable)
´´´
sysctl_settings_netfilter:
- name: # sysctl-Parameter
value: # zu setzender Wert
´´´
- Dictionary `meshes`
´´´
meshes:
xx:
...
ipv4_network:
...
´´´
- Variable `internet_exit_mtu_ipv4`
- Variable `internet_exit_mtu_ipv6`
- Host Variable `ffrl_public_ipv4_nat`

View file

@ -0,0 +1,6 @@
---
- name: iptables-restore
shell: iptables-restore < /etc/iptables/rules.v4
- name: ip6tables-restore
shell: ip6tables-restore < /etc/iptables/rules.v6

View file

@ -0,0 +1,35 @@
---
- name: install iptables packages
apt:
name: "{{ item }}"
state: present
with_items:
- iptables
- iptables-persistent
- name: load netfilter modules
modprobe:
name: "{{ item }}"
state: present
with_items:
- nf_conntrack
- nf_conntrack_ipv4
- name: set netfilter sysctl settings
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
with_items: "{{ sysctl_settings_netfilter }}"
- name: write iptables configuration
template:
src: rules.v4.j2
dest: /etc/iptables/rules.v4
notify: iptables-restore
- name: write ip6tables configuration
template:
src: rules.v6.j2
dest: /etc/iptables/rules.v6
notify: ip6tables-restore

View file

@ -0,0 +1,38 @@
#
# {{ ansible_managed }}
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_id, mesh_value in meshes.iteritems() %}
-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT
{% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv4 }}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:ffrl-nat - [0:0]
{% for mesh_id, mesh_value in meshes.iteritems() %}
-A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
{% endfor %}
-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat }}
COMMIT

View file

@ -0,0 +1,31 @@
#
# {{ ansible_managed }}
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_id, mesh_value in meshes.iteritems() %}
-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT
{% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv6 }}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

View file

@ -0,0 +1,6 @@
---
sysctl_settings_netfilter:
- name: net.netfilter.nf_conntrack_tcp_timeout_established
value: 86400
- name: net.netfilter.nf_conntrack_max
value: 262140

View file

@ -12,10 +12,6 @@ sysctl_settings_gateway:
value: 2048 value: 2048
- name: net.ipv4.neigh.default.gc_thresh3 - name: net.ipv4.neigh.default.gc_thresh3
value: 4096 value: 4096
- name: net.netfilter.nf_conntrack_tcp_timeout_established
value: 86400
- name: net.netfilter.nf_conntrack_max
value: 262140
- name: net.ipv6.conf.all.forwarding - name: net.ipv6.conf.all.forwarding
value: 1 value: 1
- name: net.ipv6.conf.all.autoconf - name: net.ipv6.conf.all.autoconf