ansible/router
ansible/router
2
0
Fork 0
Code Issues 1 Pull requests Activity

chore: remove all IPv6 functionality

Browse source
This commit is contained in:
Simon Cornet 2026-02-16 14:39:22 +01:00
commit d08faaf862
8 changed files with 224 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

8
defaults/main.yaml
View file

@ -1,2 +1,8 @@
---
# Default variables for ans-router
# interfaces
wan_interface: "eth0"
lan_interface: "eth1"
# nat rules
nat_port_forwards: []

13
handlers/main.yaml
View file

@ -1,2 +1,13 @@
---
# Handlers for ans-router
- name: "restart iptables"
ansible.builtin.service:
name: "iptables"
state: "restarted"
when: "ipv4_enabled"
- name: "restart ip6tables"
ansible.builtin.service:
name: "ip6tables"
state: "restarted"
when: "ipv6_enabled"

12
meta/main.yaml
View file

@ -1,13 +1,11 @@
---
# meta information for ans-router
galaxy_info:
role_name: router
namespace: siempie
author: Simon
description: Configure router on Alpine Linux
license: MIT
author: "Simon"
description: "Alpine Linux router with NAT and firewall"
license: "MIT"
min_ansible_version: "2.14"
platforms:
- name: Alpine
- name: "Alpine"
versions:
- "3.23"
dependencies: []

142
tasks/firewall.yaml
View file

@ -1,2 +1,142 @@
---
# Configure firewall
# deploy ipv4 iptable rules
- name: "firewall - ipv4 rules"
ansible.builtin.copy:
dest: "/etc/iptables/rules-save"
mode: "0600"
owner: "root"
group: "root"
content: |
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT masquerade from LAN to WAN
-A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
{% for forward in nat_port_forwards %}
# {{ forward.name }}
-A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }}
{% endfor %}
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow established/related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow LAN management access
-A INPUT -i {{ lan_interface }} -j ACCEPT
# Allow forwarding from LAN to anywhere
-A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
{% for forward in nat_port_forwards %}
# {{ forward.name }}
-A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT
{% endfor %}
COMMIT
notify: "restart iptables"
when: "ipv4_enabled"
# deploy ipv6 iptable rules
- name: "firewall - deploy ipv6 rules"
ansible.builtin.copy:
dest: "/etc/ip6tables/rules-save"
mode: "0600"
owner: "root"
group: "root"
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow established/related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow LAN management access
-A INPUT -i {{ lan_interface }} -j ACCEPT
# Allow ICMPv6 (required for NDP/RA)
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
# Allow forwarding from LAN to anywhere
-A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
COMMIT
notify: "restart ip6tables"
when: "ipv6_enabled"
# remove iptables rules when disabled
- name: "firewall - remove ipv4 rules"
ansible.builtin.file:
path: "/etc/iptables/rules-save"
state: "absent"
notify: "restart iptables"
when: "not ipv4_enabled"
# remove ip6tables rules when disabled
- name: "firewall - remove ipv6 rules"
ansible.builtin.file:
path: "/etc/ip6tables/rules-save"
state: "absent"
notify: "restart ip6tables"
when: "not ipv6_enabled"
# load nf_conntrack module
- name: "firewall - load nf_conntrack module"
community.general.modprobe:
name: "nf_conntrack"
state: "present"
when: "ipv4_enabled or ipv6_enabled"
# configure nf_conntrack hashsize
- name: "firewall - configure nf_conntrack hashsize"
ansible.builtin.lineinfile:
path: "/etc/modprobe.d/nf_conntrack.conf"
line: "options nf_conntrack hashsize=16384"
create: true
mode: "0644"
owner: "root"
group: "root"
when: "ipv4_enabled or ipv6_enabled"
# load nf_conntrack at boot
- name: "firewall - load nf_conntrack at boot"
ansible.builtin.lineinfile:
path: "/etc/modules"
line: "nf_conntrack"
create: true
mode: "0644"
owner: "root"
group: "root"
when: "ipv4_enabled or ipv6_enabled"
# set nf_conntrack hashsize at runtime
- name: "firewall - set nf_conntrack hashsize runtime"
ansible.builtin.shell:
cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize"
changed_when: false
when: "ipv4_enabled or ipv6_enabled"
# configure nf_conntrack sysctl settings
- name: "firewall - configure conntrack sysctl settings"
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: "present"
sysctl_file: "/etc/sysctl.conf"
reload: false
loop:
- name: "net.netfilter.nf_conntrack_max"
value: "16384"
- name: "net.netfilter.nf_conntrack_tcp_timeout_established"
value: "3600"
- name: "net.netfilter.nf_conntrack_generic_timeout"
value: "120"
when: "ipv4_enabled or ipv6_enabled"

2
tasks/install.yaml
View file

@ -1,2 +0,0 @@
---
# Install router components

5
tasks/main.yaml
View file

@ -1,10 +1,5 @@
---
- name: "install"
ansible.builtin.import_tasks: "install.yaml"
tags:
- "all"
- name: "routing"
ansible.builtin.import_tasks: "routing.yaml"
tags:

40
tasks/performance.yaml
View file

@ -1,2 +1,40 @@
---
# Configure performance
# tcp performance tuning
- name: "configure tcp performance settings"
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: "present"
sysctl_file: "/etc/sysctl.conf"
reload: false
loop:
- name: "net.core.netdev_max_backlog"
value: "5000"
- name: "net.core.rmem_max"
value: "16777216"
- name: "net.core.wmem_max"
value: "16777216"
- name: "net.ipv4.tcp_rmem"
value: "4096 87380 16777216"
- name: "net.ipv4.tcp_wmem"
value: "4096 65536 16777216"
- name: "net.ipv4.tcp_congestion_control"
value: "bbr"
- name: "net.core.default_qdisc"
value: "fq"
- name: "net.ipv4.tcp_fin_timeout"
value: "15"
- name: "net.ipv4.tcp_tw_reuse"
value: "1"
- name: "net.ipv4.tcp_ecn"
value: "1"
- name: "net.core.netdev_budget"
value: "600"
- name: "net.core.netdev_budget_usecs"
value: "8000"
- name: "Apply all sysctl settings"
ansible.builtin.command:
cmd: "sysctl -p"
changed_when: false

30
tasks/routing.yaml
View file

@ -4,20 +4,30 @@
community.general.apk:
name:
- "iptables"
- "ip6tables"
state: "present"
update_cache: true
- name: "enable ipv4 forwarding"
- name: "configure ipv4 forwarding"
ansible.posix.sysctl:
name: "net.ipv4.ip_forward"
name: "net.ipv4.conf.all.forwarding"
value: "1"
sysctl_set: true
state: present
state: "present"
sysctl_file: "/etc/sysctl.conf"
reload: false
- name: "enable ipv6 forwarding"
- name: "disable ipv4 redirects and source routing"
ansible.posix.sysctl:
name: "net.ipv6.conf.all.forwarding"
value: "1"
sysctl_set: true
state: present
name: "{{ item.name }}"
value: "{{ item.value }}"
state: "present"
sysctl_file: "/etc/sysctl.conf"
reload: false
loop:
- name: "net.ipv4.conf.all.accept_redirects"
value: "0"
- name: "net.ipv4.conf.all.send_redirects"
value: "0"
- name: "net.ipv4.conf.all.accept_source_route"
value: "0"
- name: "net.ipv4.conf.all.log_martians"
value: "0"