diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2022-06-15 19:35:36 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2022-06-15 19:35:36 +0200 |
| commit | 8e5c279f7cecf29589835e74602155b9afc430d8 (patch) | |
| tree | c55e219fa44c220a29a4ef55ddc10c5f37456675 /chaos-at-home/ch-gw-lan.yml | |
| parent | update apt-repo gpg key for tor-project (diff) | |
add simple handling for nftable rulesets in base role
Diffstat (limited to 'chaos-at-home/ch-gw-lan.yml')
| -rw-r--r-- | chaos-at-home/ch-gw-lan.yml | 27 |
1 files changed, 0 insertions, 27 deletions
diff --git a/chaos-at-home/ch-gw-lan.yml b/chaos-at-home/ch-gw-lan.yml index 11d65b17..37ed17fa 100644 --- a/chaos-at-home/ch-gw-lan.yml +++ b/chaos-at-home/ch-gw-lan.yml @@ -10,33 +10,6 @@ - role: network/dhcp-server - role: network/nftables/base post_tasks: - - name: install public service nftable rules - copy: - content: | - # Ansible managed - - define nic_lan = lan0 - define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }} - - table ip nat { - chain public-services-prerouting { - type nat hook prerouting priority -100; policy accept; - iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" - {% for name, svc in network_services.items() %} - iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" - {% endfor %} - } - chain public-services-output { - type nat hook output priority -100; policy accept; - ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" - {% for name, svc in network_services.items() %} - ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" - {% endfor %} - } - } - dest: /etc/nftables.d/public-services.nft - notify: reload nftables - - name: install etherwake apt: name: etherwake |