diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2021-07-25 02:30:28 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2021-07-25 02:30:28 +0200 |
| commit | 7ad0cae08af4c7570be4b4bdf2987c0cc3b70aba (patch) | |
| tree | 00529beaafd685c70e52b61cd9453359d541dfdd /inventory | |
| parent | reconfigure ele-router (WIP) (diff) | |
ele-router: preapare setup for e21
Diffstat (limited to 'inventory')
| -rw-r--r-- | inventory/group_vars/elevate-festival/vars.yml | 1 | ||||
| -rw-r--r-- | inventory/host_vars/ele-router.yml | 188 |
2 files changed, 98 insertions, 91 deletions
diff --git a/inventory/group_vars/elevate-festival/vars.yml b/inventory/group_vars/elevate-festival/vars.yml index 0fef595b..ee2b7da8 100644 --- a/inventory/group_vars/elevate-festival/vars.yml +++ b/inventory/group_vars/elevate-festival/vars.yml @@ -248,6 +248,7 @@ network_zones: ele-dione: 1 ele-helene: 2 equinox-t450s: 10 + ele-router: 13 ele-mur: 14 datacop_lte: diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 1f795cd9..9b660f99 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -3,6 +3,9 @@ ssh_users_root: - equinox - datacop +network_mgmt_zone: "{{ network_zones.mgmt }}" + + wireguard_keys: gwhetzner: pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" @@ -24,47 +27,33 @@ wireguard_gateway_tunnels: allowed_ips: - 0.0.0.0/0 - - -network_mgmt_zone: "{{ network_zones.mgmt }}" -network_internal_zone_names__emc: - - emc -network_internal_zone_names__wan: - - lan - - guest - - mixer - - infoscreens - -network_internal_zone_names: "{{ network_internal_zone_names__wan + network_internal_zone_names__emc }}" - - openwrt_network_external: - - name: interface 'wanff' + - name: interface 'wanmur' options: ifname: 'eth5' proto: static - ipaddr: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_zones.funkfeuer.prefix | ipaddr('netmask') }}" + ipaddr: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_zones.murat_transfer.prefix | ipaddr('netmask') }}" accept_ra: 0 - name: rule options: - priority: 39000 - src: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}/32" - lookup: 102 + priority: 41050 + src: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ipaddr('address') }}/32" + lookup: 105 - name: rule options: - priority: 39001 - mark: 102 - lookup: 102 + priority: 41051 + mark: 105 + lookup: 105 - - name: route 'ffdefault' + - name: route 'murdefault' options: - interface: 'wanff' - table: 102 + interface: 'wanmur' + table: 105 target: '0.0.0.0/0' - gateway: "{{ network_zones.funkfeuer.gateway }}" + gateway: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }}" - name: interface 'wanlte' @@ -77,25 +66,39 @@ openwrt_network_external: - name: rule options: - priority: 38000 + priority: 41040 src: "{{ network_zones.datacop_lte.prefix | ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ipaddr('address') }}/32" - lookup: 103 + lookup: 104 - name: rule options: - priority: 38001 - mark: 103 - lookup: 103 + priority: 41041 + mark: 104 + lookup: 104 - name: route 'ltedefault' options: interface: 'wanlte' - table: 103 + table: 104 target: '0.0.0.0/0' gateway: "{{ network_zones.datacop_lte.gateway }}" + - name: rule + options: + priority: 50000 + lookup: 105 +network_internal_zone_names__wanmur: + - lan + - guest + - mixer + - infoscreens +network_internal_zone_names__wanlte: [] +network_internal_zone_names__wgemc: + - emc + +network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" openwrt_network_internal_yaml: | {% for zone_name in network_internal_zone_names %} @@ -106,16 +109,9 @@ openwrt_network_internal_yaml: | ipaddr: "{{ network_zones[zone_name].gateway }}" netmask: "{{ network_zones[zone_name].prefix | ipaddr('netmask') }}" accept_ra: 0 - {% if zone_name in network_internal_zone_names__emc %} - - - name: rule - options: - priority: 33000 - in: "{{ zone_name }}" - lookup: 200 - {% endif %} {% endfor %} + openwrt_network_base: - name: globals 'globals' options: @@ -137,10 +133,11 @@ openwrt_network_base: accept_ra: 0 + openwrt_dhcp_external: - - name: dhcp 'wanff' + - name: dhcp 'wanmur' options: - interface: 'wanff' + interface: 'wanmur' ignore: '1' - name: dhcp 'wanlte' @@ -148,6 +145,7 @@ openwrt_dhcp_external: interface: 'wanlte' ignore: '1' + openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" openwrt_dhcp_internal_yaml: | {% for zone_name in network_internal_zone_names %} @@ -165,6 +163,7 @@ openwrt_dhcp_internal_yaml: | {% endif %} {% endfor %} + openwrt_dhcp_base: - name: dnsmasq options: @@ -183,6 +182,8 @@ openwrt_dhcp_base: leasefile: '/tmp/dhcp.leases' resolvfile: '/tmp/resolv.conf.auto' localservice: '1' + server: + - 1.1.1.1 - name: odhcpd 'odhcpd' options: @@ -238,13 +239,13 @@ openwrt_mixin: content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" mode: "0600" - /etc/rc.d/S21network-emc: - link: "../init.d/network-emc" + /etc/rc.d/S21network-wgemc: + link: "../init.d/network-wgemc" - /etc/rc.d/K91network-emc: - link: "../init.d/network-emc" + /etc/rc.d/K91network-wgemc: + link: "../init.d/network-wgemc" - /etc/init.d/network-emc: + /etc/init.d/network-wgemc: mode: "0755" content: | #!/bin/sh /etc/rc.common @@ -254,7 +255,7 @@ openwrt_mixin: start() { ip link add dev wg-emc type wireguard - wg set wg-emc fwmark 102 private-key /etc/wireguard/wg-emc.priv + wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} @@ -270,7 +271,6 @@ openwrt_mixin: stop() { ip link del dev wg-emc - ip rule del pref 33000 } /etc/rc.d/S22network-fw: @@ -288,60 +288,63 @@ openwrt_mixin: STOP=91 start() { - FF_IF=$(uci get network.wanff.ifname) - LTE_IF=$(uci get network.wanlte.ifname) + ### management MGMT_IF=$(uci get network.mgmt.ifname) MGMT_IPADDR=$(uci get network.mgmt.ipaddr) MGMT_NETMASK=$(uci get network.mgmt.netmask) - - - iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - ### todo: limit the destination address? - iptables -A INPUT -i "$FF_IF" -p icmp -j ACCEPT - iptables -A INPUT -i "$FF_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "$FF_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -i "$LTE_IF" -p icmp -j ACCEPT - iptables -A INPUT -i "$LTE_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "$LTE_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + ### external zones + # mur + iptables -A INPUT -i "eth5" -p icmp -j ACCEPT + iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # LTE + iptables -A INPUT -i "eth4" -p icmp -j ACCEPT + iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + # Wireguard EMC iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - # all internal zones - for zone in {{ network_internal_zone_names | join(' ') }}; do - interface=$(uci get "network.$zone.ifname") - ipaddr=$(uci get "network.$zone.ipaddr") - netmask=$(uci get "network.$zone.netmask") - - ### todo: only add this if dhcp is in network_zones[zone] - iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT - - ### todo: only do this if dhcp is in network_zones[zone] or $ipaddr is in network_zones[zone].dns - iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - - iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A INPUT -i "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - case "$zone" in - {{ network_internal_zone_names__wan | join('|') }}) - iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE - ;; - {{ network_internal_zone_names__emc | join('|') }}) - iptables -A FORWARD -i "$interface" -o "wg-emc" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A FORWARD -i "wg-emc" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "wg-emc" -s "$ipaddr/$netmask" -j MASQUERADE - ;; - esac - done + ### internal zones + {% for zone_name in network_internal_zone_names %} + # {{ zone_name }} + {% if 'dhcp' in network_zones[zone_name] %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT + {% endif %} + {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + {% endif %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + {% if zone_name in network_internal_zone_names__wanmur %} + {% set ext_interface = "eth5" %} + {% set rt_table = "105" %} + {% elif zone_name in network_internal_zone_names__wanlte %} + {% set ext_interface = "eth4" %} + {% set rt_table = "104" %} + {% elif zone_name in network_internal_zone_names__wgemc %} + {% set ext_interface = "wg-emc" %} + {% set rt_table = "200" %} + {% endif %} + iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE + ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} + + {% endfor %} + + ### iptables -P INPUT DROP iptables -P FORWARD DROP } @@ -352,6 +355,9 @@ openwrt_mixin: iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F POSTROUTING + {% for zone_name in network_internal_zone_names %} + ip rule del pref {{ loop.index + 33000 }} + {% endfor %} } |