From 91cd5480b5a1ca1103d5e239af3d331477c41c2c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 21 Nov 2017 22:28:39 +0100 Subject: initial commit as copy from helsinki ansible repo --- roles/vm-network/templates/firewall.sh_public.j2 | 49 ++++++++++++++++++ roles/vm-network/templates/interfaces_lan.j2 | 17 +++++++ roles/vm-network/templates/interfaces_public.j2 | 63 ++++++++++++++++++++++++ roles/vm-network/templates/systemd.link.j2 | 5 ++ 4 files changed, 134 insertions(+) create mode 100644 roles/vm-network/templates/firewall.sh_public.j2 create mode 100644 roles/vm-network/templates/interfaces_lan.j2 create mode 100644 roles/vm-network/templates/interfaces_public.j2 create mode 100644 roles/vm-network/templates/systemd.link.j2 (limited to 'roles/vm-network/templates') diff --git a/roles/vm-network/templates/firewall.sh_public.j2 b/roles/vm-network/templates/firewall.sh_public.j2 new file mode 100644 index 00000000..df5b1373 --- /dev/null +++ b/roles/vm-network/templates/firewall.sh_public.j2 @@ -0,0 +1,49 @@ +#!/bin/sh + +PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}" +PUBLIC_IF="$2" +TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}" +UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}" + +##### +IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables" +ICMP="icmp{% if item == 6 %}v6{% endif %}" + +case "$1" in + start) + $IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + $IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + $IPTABLES -A INPUT -i $PUBLIC_IF -j DROP + ;; + stop) + $IPTABLES -D INPUT -i $PUBLIC_IF -j DROP + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + $IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + $IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + ;; + *) + echo "Usage: $0 (start|stop)" + exit 1 + ;; +esac + +exit 0 diff --git a/roles/vm-network/templates/interfaces_lan.j2 b/roles/vm-network/templates/interfaces_lan.j2 new file mode 100644 index 00000000..36ae2883 --- /dev/null +++ b/roles/vm-network/templates/interfaces_lan.j2 @@ -0,0 +1,17 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The internal network interface +auto {{ srv_network.internal.interface }} +iface {{ srv_network.internal.interface }} inet static + address {{ srv_network.internal.ip }} + netmask 255.255.255.0 + gateway 192.168.1.254 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf diff --git a/roles/vm-network/templates/interfaces_public.j2 b/roles/vm-network/templates/interfaces_public.j2 new file mode 100644 index 00000000..2e8583ab --- /dev/null +++ b/roles/vm-network/templates/interfaces_public.j2 @@ -0,0 +1,63 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The internal network interface +auto {{ srv_network.internal.interface }} +iface {{ srv_network.internal.interface }} inet static + address {{ srv_network.internal.ip }} + netmask 255.255.255.0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up ip route add default via 192.168.1.254 table default + up ip rule add pref 42000 lookup default + up ip rule del pref 32767 + down ip rule add pref 32767 lookup default + down ip rule del pref 42000 + down ip route del default via 192.168.1.254 table default + + +# The public network interface +auto {{ srv_network.public.interface }} +iface {{ srv_network.public.interface }} inet static + address {{ srv_network.public.ip }} + netmask 255.255.255.0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + ## mur.at + up ip addr add dev $IFACE {{ srv_network.public.ip_mur }}/28 + up ip route add default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default + up ip rule add pref 33000 from {{ srv_network.public.ip_mur }} lookup mur-default + ## upc + up ip addr add dev $IFACE {{ srv_network.public.ip_upc }}/32 + up ip route add default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default + up ip rule add pref 35000 from {{ srv_network.public.ip_upc }} lookup upc-default + ### firewall + up /etc/network/firewall4.sh start $IFACE + ########## + down /etc/network/firewall4.sh stop $IFACE + ## upc + down ip rule del pref 35000 + down ip route del default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default + down ip addr del dev $IFACE {{ srv_network.public.ip_upc }}/32 + ## mur.at + down ip rule del pref 33000 + down ip route del default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default + down ip addr del dev $IFACE {{ srv_network.public.ip_mur }}/28 + +iface {{ srv_network.public.interface }} inet6 static + address {{ srv_network.public.ip_mur6 }} + netmask 64 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up ip -6 route add default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default + up ip -6 rule add pref 33000 from {{ srv_network.public.ip_mur6 }} lookup mur-default + up /etc/network/firewall6.sh start $IFACE + down /etc/network/firewall6.sh stop $IFACE + down ip -6 rule del pref 33000 + down ip -6 route del default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default diff --git a/roles/vm-network/templates/systemd.link.j2 b/roles/vm-network/templates/systemd.link.j2 new file mode 100644 index 00000000..753fd586 --- /dev/null +++ b/roles/vm-network/templates/systemd.link.j2 @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:01:{{ "%02d" | format(item.idx) }}.0 + +[Link] +Name={{ item.name }} -- cgit v1.2.3