Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos.package
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
14
Merge Requests
14
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
slapos.package
Commits
fc4992e7
Commit
fc4992e7
authored
Sep 27, 2023
by
Joanne Hugé
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
playbook/ors: configure firewall
parent
e4f41c3c
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
92 additions
and
1 deletion
+92
-1
playbook/roles/ors/files/configure-firewall
playbook/roles/ors/files/configure-firewall
+81
-0
playbook/roles/ors/meta/main.yml
playbook/roles/ors/meta/main.yml
+1
-0
playbook/roles/ors/tasks/main.yml
playbook/roles/ors/tasks/main.yml
+9
-0
playbook/sha256sum
playbook/sha256sum
+1
-1
No files found.
playbook/roles/ors/files/configure-firewall
0 → 100755
View file @
fc4992e7
#!/bin/bash
# Enable ipv4 and ipv6 forwarding for core network
echo
1
>
/proc/sys/net/ipv4/conf/all/forwarding
echo
1
>
/proc/sys/net/ipv6/conf/all/forwarding
# Set correct iptables rules
mkdir
-p
/etc/iptables
IF_LIST
=()
CONFV4
=
"/etc/iptables/rules.v4"
TMPV4
=
"/tmp/rules.v4.
$(
date
+%s
)
"
CONFV6
=
"/etc/iptables/rules.v6"
TMPV6
=
"/tmp/rules.v6.
$(
date
+%s
)
"
## Get sorted list of physical network interfaces
cd
/sys/class/net
;
for
IF
in
$(
find
.
-type
l
-printf
"%f
\n
"
)
;
do
# If interface is not virtual
if
!
realpath
$(
readlink
$IF
)
|
grep
-q
"^/sys/devices/virtual"
;
then
IF_LIST+
=(
$IF
)
;
fi
done
IFS
=
$'
\n
'
IF_LIST_SORTED
=(
$(
sort
<<<
"
${
IF_LIST
[*]
}
"
)
)
unset
IFS
## Write target IPv4 rules
cat
>
$TMPV4
<<
EOF
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination :5353
-A POSTROUTING -p udp -m udp --sport 5353 -j SNAT --to-source :53
EOF
for
IF
in
"
${
IF_LIST_SORTED
[@]
}
"
;
do
cat
>>
$TMPV4
<<
EOF
-A POSTROUTING -o
$IF
-j MASQUERADE
EOF
done
cat
>>
$TMPV4
<<
EOF
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
EOF
## Write target IPv6 rules
cat
>
$TMPV6
<<
EOF
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
EOF
for
IF
in
"
${
IF_LIST_SORTED
[@]
}
"
;
do
cat
>>
$TMPV6
<<
EOF
-A POSTROUTING -o
$IF
-j MASQUERADE
EOF
done
cat
>>
$TMPV6
<<
EOF
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
EOF
## Reconfigure iptables if current rules doens't match target rules
touch
$CONFV4
$CONFV6
if
!
diff
$TMPV4
$CONFV4
;
then
cp
$TMPV4
$CONFV4
iptables-restore
$CONFV4
fi
if
!
diff
$TMPV6
$CONFV6
;
then
cp
$TMPV6
$CONFV6
ip6tables-restore
$CONFV6
fi
rm
-f
$TMPV4
$TMPV6
playbook/roles/ors/meta/main.yml
View file @
fc4992e7
...
@@ -4,3 +4,4 @@ dependencies:
...
@@ -4,3 +4,4 @@ dependencies:
-
{
role
:
package
,
package_name
:
patchelf
,
package_state
:
present
}
-
{
role
:
package
,
package_name
:
patchelf
,
package_state
:
present
}
-
{
role
:
package
,
package_name
:
util-linux
,
package_state
:
present
}
-
{
role
:
package
,
package_name
:
util-linux
,
package_state
:
present
}
-
{
role
:
package
,
package_name
:
grub-efi-amd64-signed
,
package_state
:
present
}
-
{
role
:
package
,
package_name
:
grub-efi-amd64-signed
,
package_state
:
present
}
-
{
role
:
package
,
package_name
:
iptables-persistent
,
package_state
:
present
}
playbook/roles/ors/tasks/main.yml
View file @
fc4992e7
...
@@ -95,6 +95,9 @@
...
@@ -95,6 +95,9 @@
# Network
# Network
-
name
:
Configure firewall
script
:
configure-firewall
-
name
:
Configure /etc/systemd/network/dhcp.network
-
name
:
Configure /etc/systemd/network/dhcp.network
copy
:
src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644
copy
:
src=systemd-dhcp-network dest=/etc/systemd/network/dhcp.network owner=root mode=644
...
@@ -116,6 +119,12 @@
...
@@ -116,6 +119,12 @@
-
name
:
Configure dhcp timeout
-
name
:
Configure dhcp timeout
lineinfile
:
dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present
lineinfile
:
dest=/etc/dhcp/dhclient.conf regexp="^timeout (.*)" line="timeout 15" state=present
-
name
:
Configure IPv4 forwarding
lineinfile
:
dest=/etc/sysctl.conf regexp="^net.ipv4.conf.all.forwarding=(.*)" line="net.ipv4.conf.all.forwarding=1" state=present
-
name
:
Configure IPv6 forwarding
lineinfile
:
dest=/etc/sysctl.conf regexp="^net.ipv6.conf.all.forwarding=(.*)" line="net.ipv6.conf.all.forwarding=1" state=present
-
name
:
Disable dnsmasq service
-
name
:
Disable dnsmasq service
systemd
:
name=dnsmasq.service enabled=no state=stopped
systemd
:
name=dnsmasq.service enabled=no state=stopped
...
...
playbook/sha256sum
View file @
fc4992e7
956c7348e0e5264fd18a9bffadf143b43f1f8ea8a1bd426c5ef63d5296b75fc8
-
854b576529267f942a8fc70331c440bd16e3a8256ec3824b5454a60ab71c127b
-
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment