playbook/ors: configure firewall

4cc8e3a0 · Joanne Hugé · be4eea75 · 4cc8e3a0 · 4cc8e3a0 · 4cc8e3a0
Commit 4cc8e3a0 authored Sep 27, 2023 by Joanne Hugé
Showing with 90 additions and 1 deletion

playbook/roles/ors/files/configure-firewall playbook/roles/ors/files/configure-firewall +80 -0

playbook/roles/ors/tasks/main.yml playbook/roles/ors/tasks/main.yml +9 -0

playbook/sha256sum playbook/sha256sum +1 -1

No files found.
--- a/playbook/roles/ors/files/configure-firewall
+++ b/playbook/roles/ors/files/configure-firewall
+#!/bin/bash
+
+# Enable ipv4 and ipv6 forwarding for core network
+echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+# Set correct iptables rules
+IF_LIST=()
+CONFV4="/etc/iptables/rules.v4"
+TMPV4="/tmp/rules.v4.$(date +%s)"
+CONFV6="/etc/iptables/rules.v6"
+TMPV6="/tmp/rules.v6.$(date +%s)"
+
+## Get sorted list of physical network interfaces
+cd /sys/class/net;
+for IF in $(find . -type l -printf "%f\n"); do
+  # If interface is not virtual
+  if ! realpath $(readlink $IF) | grep -q "^/sys/devices/virtual"; then
+    IF_LIST+=($IF);
+  fi
+done
+IFS=$'\n' IF_LIST_SORTED=($(sort <<<"${IF_LIST[*]}"))
+unset IFS
+
+## Write target IPv4 rules
+cat > $TMPV4 << EOF
+*nat
+:PREROUTING ACCEPT
+:INPUT ACCEPT
+:OUTPUT ACCEPT
+:POSTROUTING ACCEPT
+-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination :5353
+-A POSTROUTING -p udp -m udp --sport 5353 -j SNAT --to-source :53
+EOF
+for IF in "${IF_LIST_SORTED[@]}"; do
+  cat >> $TMPV4 << EOF
+-A POSTROUTING -o $IF -j MASQUERADE
+EOF
+done
+cat >> $TMPV4 << EOF
+COMMIT
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+COMMIT
+EOF
+## Write target IPv6 rules
+cat > $TMPV6 << EOF
+*nat
+:PREROUTING ACCEPT
+:INPUT ACCEPT
+:OUTPUT ACCEPT
+:POSTROUTING ACCEPT
+EOF
+for IF in "${IF_LIST_SORTED[@]}"; do
+  cat >> $TMPV6 << EOF
+-A POSTROUTING -o $IF -j MASQUERADE
+EOF
+done
+cat >> $TMPV6 << EOF
+COMMIT
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+COMMIT
+EOF
+
+## Reconfigure iptables if current rules doens't match target rules
+touch $CONFV4 $CONFV6
+if ! diff $TMPV4 $CONFV4; then
+  cp $TMPV4 $CONFV4
+  iptables-restore $CONFV4
+fi
+if ! diff $TMPV6 $CONFV6; then
+  cp $TMPV6 $CONFV6
+  ip6tables-restore $CONFV6
+fi
+rm -f $TMPV4 $TMPV6
--- a/playbook/roles/ors/tasks/main.yml
+++ b/playbook/roles/ors/tasks/main.yml
@@ -95,6 +95,9 @@

 # Network

+  - name: Configure firewall
+    script: configure-firewall
+
  - name: Configure /etc/systemd/network/dhcp.network
    copy: src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644

@@ -110,6 +113,12 @@
  - name: Configure dhcp timeout
    lineinfile: dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present

+  - name: Configure IPv4 forwarding
+    lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.conf.all.forwarding=(.*)" line="net.ipv4.conf.all.forwarding=1" state=present
+
+  - name: Configure IPv6 forwarding
+    lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv6.conf.all.forwarding=(.*)" line="net.ipv6.conf.all.forwarding=1" state=present
+
  - name: Disable dnsmasq service
    systemd: name=dnsmasq.service enabled=no state=stopped


--- a/playbook/sha256sum
+++ b/playbook/sha256sum
-6f816c3e09af4f17f266a55b1e0a91c844110239bb877e60a6d5087b7ce5fd73  -
+c9c155e4524525b7e4c89cc9252311351a59f25e55bd85ce75bc3c966951d133  -