diff options
-rw-r--r-- | chaos-at-home/ch-gw-lan.yml | 21 | ||||
-rw-r--r-- | inventory/group_vars/chaos-at-home/network.yml | 4 | ||||
-rw-r--r-- | inventory/host_vars/ch-router.yml | 9 |
3 files changed, 25 insertions, 9 deletions
diff --git a/chaos-at-home/ch-gw-lan.yml b/chaos-at-home/ch-gw-lan.yml index 5e76e90a..64e1c8b8 100644 --- a/chaos-at-home/ch-gw-lan.yml +++ b/chaos-at-home/ch-gw-lan.yml @@ -8,7 +8,28 @@ - role: core/zsh - role: core/ntp - role: network/dhcp-server + - role: network/nftables/base post_tasks: + - name: install public service nftable rules + copy: + content: | + # Ansible managed + + define nic_lan = lan0 + define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }} + + table ip nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" + {% for name, svc in network_services.items() %} + iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" + {% endfor %} + } + } + dest: /etc/nftables.d/public-services.nft + notify: reload nftables + - name: install etherwake apt: name: etherwake diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index 86ab6c7a..6807c104 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -114,6 +114,10 @@ network_zones: network_services: + ssh-jump: + ports: + - 2342 + addr: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" http: ports: - 80 diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index 3be8367b..367ec6cd 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -154,15 +154,6 @@ openwrt_mixin: iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - {# TODO: add these to network_services #} - # ssh - iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" - iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT - - # dns - iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 53 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" - iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" -p tcp --dport 53 -j ACCEPT {% for name, svc in network_services.items() %} # {{ name }} |