From d08faaf8623cea9f4aafbcdf34c544a62fe8c938 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Mon, 16 Feb 2026 14:39:22 +0100
Subject: [PATCH] chore: remove all IPv6 functionality

---
 defaults/main.yaml     |   8 ++-
 handlers/main.yaml     |  13 +++-
 meta/main.yaml         |  12 ++--
 tasks/firewall.yaml    | 142 ++++++++++++++++++++++++++++++++++++++++-
 tasks/install.yaml     |   2 -
 tasks/main.yaml        |   5 --
 tasks/performance.yaml |  40 +++++++++++-
 tasks/routing.yaml     |  30 ++++++---
 8 files changed, 224 insertions(+), 28 deletions(-)
 delete mode 100644 tasks/install.yaml

diff --git a/defaults/main.yaml b/defaults/main.yaml
index 9f21745..c3d2f4f 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -1,2 +1,8 @@
 ---
-# Default variables for ans-router
+
+# interfaces
+wan_interface: "eth0"
+lan_interface: "eth1"
+
+# nat rules
+nat_port_forwards: []
diff --git a/handlers/main.yaml b/handlers/main.yaml
index e72b806..2b0f573 100644
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@@ -1,2 +1,13 @@
 ---
-# Handlers for ans-router
+
+- name: "restart iptables"
+  ansible.builtin.service:
+    name: "iptables"
+    state: "restarted"
+  when: "ipv4_enabled"
+
+- name: "restart ip6tables"
+  ansible.builtin.service:
+    name: "ip6tables"
+    state: "restarted"
+  when: "ipv6_enabled"
diff --git a/meta/main.yaml b/meta/main.yaml
index 36db4ee..495ae00 100644
--- a/meta/main.yaml
+++ b/meta/main.yaml
@@ -1,13 +1,11 @@
 ---
-# meta information for ans-router
 galaxy_info:
-  role_name: router
-  namespace: siempie
-  author: Simon
-  description: Configure router on Alpine Linux
-  license: MIT
+  author: "Simon"
+  description: "Alpine Linux router with NAT and firewall"
+  license: "MIT"
   min_ansible_version: "2.14"
   platforms:
-    - name: Alpine
+    - name: "Alpine"
       versions:
         - "3.23"
+dependencies: []
diff --git a/tasks/firewall.yaml b/tasks/firewall.yaml
index a320888..ffe7bcb 100644
--- a/tasks/firewall.yaml
+++ b/tasks/firewall.yaml
@@ -1,2 +1,142 @@
 ---
-# Configure firewall
+
+# deploy ipv4 iptable rules
+- name: "firewall - ipv4 rules"
+  ansible.builtin.copy:
+    dest: "/etc/iptables/rules-save"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    content: |
+      *nat
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      # NAT masquerade from LAN to WAN
+      -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
+      {% for forward in nat_port_forwards %}
+      # {{ forward.name }}
+      -A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }}
+      {% endfor %}
+      COMMIT
+
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      # Allow established/related
+      -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+      -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+      # Allow loopback
+      -A INPUT -i lo -j ACCEPT
+      # Allow LAN management access
+      -A INPUT -i {{ lan_interface }} -j ACCEPT
+      # Allow forwarding from LAN to anywhere
+      -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
+      {% for forward in nat_port_forwards %}
+      # {{ forward.name }}
+      -A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT
+      {% endfor %}
+      COMMIT
+  notify: "restart iptables"
+  when: "ipv4_enabled"
+
+
+# deploy ipv6 iptable rules
+- name: "firewall - deploy ipv6 rules"
+  ansible.builtin.copy:
+    dest: "/etc/ip6tables/rules-save"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    content: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      # Allow established/related
+      -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+      -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+      # Allow loopback
+      -A INPUT -i lo -j ACCEPT
+      # Allow LAN management access
+      -A INPUT -i {{ lan_interface }} -j ACCEPT
+      # Allow ICMPv6 (required for NDP/RA)
+      -A INPUT -p ipv6-icmp -j ACCEPT
+      -A FORWARD -p ipv6-icmp -j ACCEPT
+      # Allow forwarding from LAN to anywhere
+      -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
+      COMMIT
+  notify: "restart ip6tables"
+  when: "ipv6_enabled"
+
+# remove iptables rules when disabled
+- name: "firewall - remove ipv4 rules"
+  ansible.builtin.file:
+    path: "/etc/iptables/rules-save"
+    state: "absent"
+  notify: "restart iptables"
+  when: "not ipv4_enabled"
+
+# remove ip6tables rules when disabled
+- name: "firewall - remove ipv6 rules"
+  ansible.builtin.file:
+    path: "/etc/ip6tables/rules-save"
+    state: "absent"
+  notify: "restart ip6tables"
+  when: "not ipv6_enabled"
+
+
+# load nf_conntrack module
+- name: "firewall - load nf_conntrack module"
+  community.general.modprobe:
+    name: "nf_conntrack"
+    state: "present"
+  when: "ipv4_enabled or ipv6_enabled"
+
+# configure nf_conntrack hashsize
+- name: "firewall - configure nf_conntrack hashsize"
+  ansible.builtin.lineinfile:
+    path: "/etc/modprobe.d/nf_conntrack.conf"
+    line: "options nf_conntrack hashsize=16384"
+    create: true
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  when: "ipv4_enabled or ipv6_enabled"
+
+# load nf_conntrack at boot
+- name: "firewall - load nf_conntrack at boot"
+  ansible.builtin.lineinfile:
+    path: "/etc/modules"
+    line: "nf_conntrack"
+    create: true
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  when: "ipv4_enabled or ipv6_enabled"
+
+# set nf_conntrack hashsize at runtime
+- name: "firewall - set nf_conntrack hashsize runtime"
+  ansible.builtin.shell:
+    cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize"
+  changed_when: false
+  when: "ipv4_enabled or ipv6_enabled"
+
+# configure nf_conntrack sysctl settings
+- name: "firewall - configure conntrack sysctl settings"
+  ansible.posix.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: "present"
+    sysctl_file: "/etc/sysctl.conf"
+    reload: false
+  loop:
+    - name: "net.netfilter.nf_conntrack_max"
+      value: "16384"
+    - name: "net.netfilter.nf_conntrack_tcp_timeout_established"
+      value: "3600"
+    - name: "net.netfilter.nf_conntrack_generic_timeout"
+      value: "120"
+  when: "ipv4_enabled or ipv6_enabled"
diff --git a/tasks/install.yaml b/tasks/install.yaml
deleted file mode 100644
index 89ed391..0000000
--- a/tasks/install.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# Install router components
diff --git a/tasks/main.yaml b/tasks/main.yaml
index f920eda..f9ec38a 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -1,10 +1,5 @@
 ---
 
-- name: "install"
-  ansible.builtin.import_tasks: "install.yaml"
-  tags:
-    - "all"
-
 - name: "routing"
   ansible.builtin.import_tasks: "routing.yaml"
   tags:
diff --git a/tasks/performance.yaml b/tasks/performance.yaml
index 84b8265..7a2ee80 100644
--- a/tasks/performance.yaml
+++ b/tasks/performance.yaml
@@ -1,2 +1,40 @@
 ---
-# Configure performance
+
+# tcp performance tuning
+- name: "configure tcp performance settings"
+  ansible.posix.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: "present"
+    sysctl_file: "/etc/sysctl.conf"
+    reload: false
+  loop:
+    - name: "net.core.netdev_max_backlog"
+      value: "5000"
+    - name: "net.core.rmem_max"
+      value: "16777216"
+    - name: "net.core.wmem_max"
+      value: "16777216"
+    - name: "net.ipv4.tcp_rmem"
+      value: "4096 87380 16777216"
+    - name: "net.ipv4.tcp_wmem"
+      value: "4096 65536 16777216"
+    - name: "net.ipv4.tcp_congestion_control"
+      value: "bbr"
+    - name: "net.core.default_qdisc"
+      value: "fq"
+    - name: "net.ipv4.tcp_fin_timeout"
+      value: "15"
+    - name: "net.ipv4.tcp_tw_reuse"
+      value: "1"
+    - name: "net.ipv4.tcp_ecn"
+      value: "1"
+    - name: "net.core.netdev_budget"
+      value: "600"
+    - name: "net.core.netdev_budget_usecs"
+      value: "8000"
+
+- name: "Apply all sysctl settings"
+  ansible.builtin.command:
+    cmd: "sysctl -p"
+  changed_when: false
diff --git a/tasks/routing.yaml b/tasks/routing.yaml
index c37db8e..f9b772b 100644
--- a/tasks/routing.yaml
+++ b/tasks/routing.yaml
@@ -4,20 +4,30 @@
   community.general.apk:
     name:
       - "iptables"
-      - "ip6tables"
     state: "present"
     update_cache: true
 
-- name: "enable ipv4 forwarding"
+- name: "configure ipv4 forwarding"
   ansible.posix.sysctl:
-    name: "net.ipv4.ip_forward"
+    name: "net.ipv4.conf.all.forwarding"
     value: "1"
-    sysctl_set: true
-    state: present
+    state: "present"
+    sysctl_file: "/etc/sysctl.conf"
+    reload: false
 
-- name: "enable ipv6 forwarding"
+- name: "disable ipv4 redirects and source routing"
   ansible.posix.sysctl:
-    name: "net.ipv6.conf.all.forwarding"
-    value: "1"
-    sysctl_set: true
-    state: present
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: "present"
+    sysctl_file: "/etc/sysctl.conf"
+    reload: false
+  loop:
+    - name: "net.ipv4.conf.all.accept_redirects"
+      value: "0"
+    - name: "net.ipv4.conf.all.send_redirects"
+      value: "0"
+    - name: "net.ipv4.conf.all.accept_source_route"
+      value: "0"
+    - name: "net.ipv4.conf.all.log_martians"
+      value: "0"