ansible/router
ansible/router
2
0
Fork 0
Code Issues 1 Pull requests Activity
router/tasks/firewall.yaml

142 lines
4.3 KiB
YAML
Raw Blame History

---
# deploy ipv4 iptable rules
- name: "firewall - ipv4 rules"
ansible.builtin.copy:
dest: "/etc/iptables/rules-save"
mode: "0600"
owner: "root"
group: "root"
content: |
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT masquerade from LAN to WAN
-A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
{% for forward in nat_port_forwards %}
# {{ forward.name }}
-A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }}
{% endfor %}
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow established/related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow LAN management access
-A INPUT -i {{ lan_interface }} -j ACCEPT
# Allow forwarding from LAN to anywhere
-A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
{% for forward in nat_port_forwards %}
# {{ forward.name }}
-A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT
{% endfor %}
COMMIT
notify: "restart iptables"
when: "ipv4_enabled"
# deploy ipv6 iptable rules
- name: "firewall - deploy ipv6 rules"
ansible.builtin.copy:
dest: "/etc/ip6tables/rules-save"
mode: "0600"
owner: "root"
group: "root"
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow established/related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow LAN management access
-A INPUT -i {{ lan_interface }} -j ACCEPT
# Allow ICMPv6 (required for NDP/RA)
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
# Allow forwarding from LAN to anywhere
-A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
COMMIT
notify: "restart ip6tables"
when: "ipv6_enabled"
# remove iptables rules when disabled
- name: "firewall - remove ipv4 rules"
ansible.builtin.file:
path: "/etc/iptables/rules-save"
state: "absent"
notify: "restart iptables"
when: "not ipv4_enabled"
# remove ip6tables rules when disabled
- name: "firewall - remove ipv6 rules"
ansible.builtin.file:
path: "/etc/ip6tables/rules-save"
state: "absent"
notify: "restart ip6tables"
when: "not ipv6_enabled"
# load nf_conntrack module
- name: "firewall - load nf_conntrack module"
community.general.modprobe:
name: "nf_conntrack"
state: "present"
when: "ipv4_enabled or ipv6_enabled"
# configure nf_conntrack hashsize
- name: "firewall - configure nf_conntrack hashsize"
ansible.builtin.lineinfile:
path: "/etc/modprobe.d/nf_conntrack.conf"
line: "options nf_conntrack hashsize=16384"
create: true
mode: "0644"
owner: "root"
group: "root"
when: "ipv4_enabled or ipv6_enabled"
# load nf_conntrack at boot
- name: "firewall - load nf_conntrack at boot"
ansible.builtin.lineinfile:
path: "/etc/modules"
line: "nf_conntrack"
create: true
mode: "0644"
owner: "root"
group: "root"
when: "ipv4_enabled or ipv6_enabled"
# set nf_conntrack hashsize at runtime
- name: "firewall - set nf_conntrack hashsize runtime"
ansible.builtin.shell:
cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize"
changed_when: false
when: "ipv4_enabled or ipv6_enabled"
# configure nf_conntrack sysctl settings
- name: "firewall - configure conntrack sysctl settings"
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: "present"
sysctl_file: "/etc/sysctl.conf"
reload: false
loop:
- name: "net.netfilter.nf_conntrack_max"
value: "16384"
- name: "net.netfilter.nf_conntrack_tcp_timeout_established"
value: "3600"
- name: "net.netfilter.nf_conntrack_generic_timeout"
value: "120"
when: "ipv4_enabled or ipv6_enabled"
Reference in a new issue View git blame Copy permalink