Add role network-iptables-gateway

- move netfilter specific sysctl settings

inventory/group_vars/all

@@ -2,6 +2,9 @@
 as_private_mwu: 65037
 as_public_ffrl: 201701
 
+internet_exit_mtu_ipv4: 1240
+internet_exit_mtu_ipv6: 1220
+
 routing_tables:
   icvpn: 23
   mwu: 41

playbooks/gateways.yml

@@ -19,6 +19,7 @@
     - service-fastd-intragate
     - git-fastd-peers
     - network-fastd
+    - network-iptables-gateway
     - network-ffrl
     - service-tinc
     - service-bird

roles/network-iptables-gateway/README.md

@@ -0,0 +1,29 @@
+# Ansible role network-iptables-gateway
+
+Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways.
+
+- installiert iptables+iptables-persistent
+- schreibt rules.v4 + rules.v6
+- setzt netfilter sysctl parameter
+
+## Benötigte Variablen
+
+- List `sysctl_settings_netfilter` (Rollen Variable)
+´´´
+sysctl_settings_netfilter:
+  - name:       # sysctl-Parameter
+    value:      # zu setzender Wert
+
+´´´
+- Dictionary `meshes`
+´´´
+meshes:
+  xx:
+...
+    ipv4_network:
+...
+
+´´´
+- Variable `internet_exit_mtu_ipv4`
+- Variable `internet_exit_mtu_ipv6`
+- Host Variable `ffrl_public_ipv4_nat`

roles/network-iptables-gateway/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: iptables-restore
+  shell: iptables-restore < /etc/iptables/rules.v4
+
+- name: ip6tables-restore
+  shell: ip6tables-restore < /etc/iptables/rules.v6

roles/network-iptables-gateway/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: install iptables packages
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - iptables
+    - iptables-persistent
+
+- name: load netfilter modules
+  modprobe:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - nf_conntrack
+    - nf_conntrack_ipv4
+
+- name: set netfilter sysctl settings
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+  with_items: "{{ sysctl_settings_netfilter }}"
+
+- name: write iptables configuration
+  template:
+    src: rules.v4.j2
+    dest: /etc/iptables/rules.v4
+  notify: iptables-restore
+
+- name: write ip6tables configuration
+  template:
+    src: rules.v6.j2
+    dest: /etc/iptables/rules.v6
+  notify: ip6tables-restore

roles/network-iptables-gateway/templates/rules.v4.j2

@@ -0,0 +1,38 @@
+#
+# {{ ansible_managed }}
+#
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+{% for mesh_id, mesh_value in meshes.iteritems() %}
+-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT
+{% endfor %}
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
+-A OUTPUT -m conntrack --ctstate INVALID -j DROP
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv4 }}
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:ffrl-nat - [0:0]
+{% for mesh_id, mesh_value in meshes.iteritems() %}
+-A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
+{% endfor %}
+-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat }}
+COMMIT

roles/network-iptables-gateway/templates/rules.v6.j2

@@ -0,0 +1,31 @@
+#
+# {{ ansible_managed }}
+#
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+{% for mesh_id, mesh_value in meshes.iteritems() %}
+-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT
+{% endfor %}
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m conntrack --ctstate INVALID -j DROP
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv6 }}
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT

roles/network-iptables-gateway/vars/main.yml

@@ -0,0 +1,6 @@
+---
+sysctl_settings_netfilter:
+  - name: net.netfilter.nf_conntrack_tcp_timeout_established
+    value: 86400
+  - name: net.netfilter.nf_conntrack_max
+    value: 262140

roles/system-sysctl-gateway/vars/main.yml

@@ -12,10 +12,6 @@ sysctl_settings_gateway:
     value: 2048
   - name: net.ipv4.neigh.default.gc_thresh3
     value: 4096
-  - name: net.netfilter.nf_conntrack_tcp_timeout_established
-    value: 86400
-  - name: net.netfilter.nf_conntrack_max
-    value: 262140
   - name: net.ipv6.conf.all.forwarding
     value: 1
   - name: net.ipv6.conf.all.autoconf