blob: a63f29fcbbaa6a74c2476ceac67c4f8c9de2ea50 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
---
openwrt_variant: openwrt
openwrt_release: 19.07.3
openwrt_arch: x86
openwrt_target: 64
openwrt_profile: Generic
openwrt_output_image_suffixes:
- "rootfs-ext4.img.gz"
- "vmlinuz"
openwrt_packages_remove:
- ppp
- ppp-mod-pppoe
- dnsmasq
- firewall
- odhcpd
- odhcpd-ipv6only
openwrt_packages_add:
- rng-tools
- htop
- ip
- less
- nano
- tcpdump-mini
- iperf
- mtr
- usbutils
- kmod-ipt-nat
- kmod-ipt-conntrack
- openvpn
openwrt_mixin:
/etc/openvpn/ca.crt:
content: "{{ openvpn_ca_certificate }}"
/etc/openvpn/dhparams:
mode: "0600"
content: "{{ openvpn_dhparams }}"
/etc/openvpn/ta.key:
mode: "0600"
content: "{{ openvpn_ta_key }}"
/etc/openvpn/server.crt:
content: |
-----BEGIN CERTIFICATE-----
MIIHXDCCBUSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCQVQx
DzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3Mg
YXQgaG9tZTEPMA0GA1UECxMGc3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21l
IENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFv
cy1hdC1ob21lLm9yZzAeFw0xNTA1MDIwMTU3NDZaFw0yNTA0MjkwMTU3NDZaMIGi
MQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYw
FAYDVQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxEDAOBgNVBAMT
B3BhbmRvcmExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2FkbWlu
QGNoYW9zLWF0LWhvbWUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAvwp3VeAZ2+uWLv0ePQ+I8T+0JMQkCdpv2Hn8gEQyUe4ubPtR6SE7455mXtGS
WA67M9uHmX6jleQmap7VQPweBy5UD6ge5q39oJMB5G2wug2/QRcgTZVF1r14ZEmk
mI31fQBHI/8M3gtMGzB5q0ohsaOuNSEyQir/CBDlDoyOzcVKRC3hQ4DVqD1Trp2M
+bxINC9jcQUQd/U5+Ui51tlSBMs/M+0gAlD0kypgcQNZcDDsLW+iTF79/XMweowp
bRDv8GbabL1E5kMYL1Ii0vNV6xmjbiyI/tX4DMyKa5d2LI80X932U/ILyq01GVhq
bhribfZzqfJhC7zAc09zw2NfQ2F6ZAAcTMmCK/GFTpKWgBufRl7gr93f3mNDzVP4
9KDvQa62CUKEy7ELwxpAEyAlGEkym2Nw+SfiAy2W2uHrpV5UF4uVs58MKUnq3Ktw
O04comiuLnXkY9/7USrMngnuJdxcwd6kEXuk6WUZGHWhgGkdP6Ww5DE2HNicSHnT
2gJFOkvvyXO5G7rmndJgK4dlsDuTdax6obIVyVEn20L8sLhuzQwfg1Z+1rnvkZVC
0n9gYp104e36HrAhX5xYwkZ2sn1Rls/PU94ciH/7TjCXOxdOLcXw4yo2btsGNtli
9I/tjPn5GHgLWa8VCGdGBsij7XP2AqPFGnzqS2lFi28YxukCAwEAAaOCAZAwggGM
MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/
DVVuzBz4Tb2mji2hC3IeOR5t7jCB4AYDVR0jBIHYMIHVgBTgUyHn3CGUn931tyDF
WVoc7+gfBaGBsaSBrjCBqzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTEN
MAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3MgYXQgaG9tZTEPMA0GA1UECxMG
c3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21lIENBMRAwDgYDVQQpEwdFYXN5
UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFvcy1hdC1ob21lLm9yZ4IJAOGc
Xf3qnvfBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDASBgNVHREE
CzAJggdwYW5kb3JhMA0GCSqGSIb3DQEBCwUAA4ICAQBTa8rgGfdlmKOhrzZEPUCZ
eAEICIpI1GnrHNLNAmbM4OIEO8lNPEVcsalqJSvFXaRh5lRBd4zGDhE2sehL13sX
ceeZTh4Ss6xBguHWh3ZCLcZimqbritAF9zl53Aer6AeCw0lYTlgFVgZBPU9X4UXV
mKqrmuorOy34vN/slRcsACrlWXonYAIrhSf6KPnTfmewp7c9LG2M8PBab05QC2tt
NYy9lKN6bf6e16lTREInQcf6t29OihbgWeOur4EdFg5QuckYDvr/fbbK1D2tVFjR
9p8jgb7gJfvbqSc9oA6RoLQCr5mpTZeYrJWoCGlT943sXwTemPSL9NcDq/hr0RDY
uYUGWWR7uKi4RwGt1S5TvpEsE0p1KeiEpytInC4crWUeX5eU5oHqEmwbKFTkzTXM
yTj6EL4hTK5nHCGPYgY6umnPnTEc/Z7/kB9GPV4dOqu8qCWL+82+4y5PPSw/6H9B
BY5WYFlE66aYHpRvAseN7HKU1lqcX09rx6vTjVKtBilga3m44pOxPPgI9FN6XYQl
r43j0QX7FStrSTBkU7QgkXimU7jxJF7PczAhwQW8+Eyk2T2C9o8/w6T27UqMVByB
xnw1Z7IOVbenP1JUpX+xKvweCFjkcdGHF+bQ3ufWmo3MIwsapKC1859E37ENqWaF
8ucdxgsmNPJk/dyj/4vqxQ==
-----END CERTIFICATE-----
/etc/openvpn/server.key:
mode: "0600"
content: "{{ vault_openvpn_key }}"
/etc/openvpn/ipp.txt:
mode: "0444"
content: |
pan,192.168.8.4
mimas,192.168.8.8
/etc/dropbear/authorized_keys:
content: "{{ ssh_keys_root | join('\n') }}\n"
/etc/htoprc:
file: "{{ global_files_dir }}/common/htoprc"
/etc/rc.d/S22network-fw:
link: "../init.d/network-fw"
/etc/rc.d/K91network-fw:
link: "../init.d/network-fw"
/etc/init.d/network-fw:
mode: "0755"
content: |
#!/bin/sh /etc/rc.common
START=22
STOP=91
start() {
MAGENTA_IF=$(uci get network.magenta.ifname)
MAGENTA_IPADDR=$(uci get network.magenta.ipaddr)
MAGENTA_NETMASK=$(uci get network.magenta.netmask)
MGMT_IF=$(uci get network.mgmt.ifname)
MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
MGMT_NETMASK=$(uci get network.mgmt.netmask)
SVC_IF=$(uci get "network.svc.ifname")
SVC_IPADDR=$(uci get "network.svc.ipaddr")
SVC_NETMASK=$(uci get "network.svc.netmask")
SSH_PORT=$(uci get dropbear.@dropbear[0].Port)
## Local/Management Traffic
#
iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
## VPN Traffic
iptables -A FORWARD -i extern0 -s 192.168.8.0/24 -o "$SVC_IF" -j ACCEPT
iptables -A FORWARD -i "$SVC_IF" -o extern0 -d 192.168.8.0/24 -j ACCEPT
## WAN Traffic
#
iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{# TODO: generate this based on network_services #}
iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}"
iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT
iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 53 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}"
iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 80 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web-legacy']) | ipaddr('address') }}"
iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 443 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web-legacy']) | ipaddr('address') }}"
iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 993 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail-legacy']) | ipaddr('address') }}"
iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 993 -j ACCEPT
## LAN Traffic
#
iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s 192.168.0.0/16 -p icmp -j ACCEPT
iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s 192.168.0.0/16 -p tcp --dport "$SSH_PORT" -j ACCEPT
iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s 192.168.0.0/16 -j SNAT --to "$MAGENTA_IPADDR"
## Drop all other inbound traffic
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
}
stop() {
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
}
openwrt_uci:
system:
- name: system
options:
hostname: '{{ host_name }}'
timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
ttylogin: '0'
log_size: '64'
urandom_seed: '0'
- name: timeserver 'ntp'
options:
enabled: '1'
enable_server: '0'
server:
- '0.at.pool.ntp.org'
- '1.at.pool.ntp.org'
- '2.at.pool.ntp.org'
- '3.at.pool.ntp.org'
- name: rngd
options:
enabled: '1'
device: '/dev/hwrng'
dropbear:
- name: dropbear
options:
PasswordAuth: 'off'
RootPasswordAuth: 'off'
Port: '{{ ansible_port | default(22) }}'
openvpn:
- name: openvpn 'extern'
options:
enabled: '1'
port: '1194'
proto: 'udp'
dev_type: 'tun'
dev: 'extern0'
server: '192.168.8.0 255.255.255.0'
client_to_client: '1'
ifconfig_pool_persist: '/etc/openvpn/ipp.txt'
push:
- 'route 192.168.28.0 255.255.255.0'
- 'route 192.168.32.0 255.255.255.0'
tls_auth: '/etc/openvpn/ta.key 0'
ca: '/etc/openvpn/ca.crt'
cert: '/etc/openvpn/server.crt'
key: '/etc/openvpn/server.key'
dh: '/etc/openvpn/dhparams'
tls_cipher: 'DHE-RSA-AES256-SHA'
cipher: 'AES-256-CBC'
auth: 'SHA256'
comp_lzo: 'yes'
keepalive: '10 120'
persist_key: '1'
persist_tun: '1'
user: 'nobody'
verb: '3'
network:
- name: globals 'globals'
options:
ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
- name: interface 'loopback'
options:
ifname: lo
proto: static
ipaddr: 127.0.0.1
netmask: 255.0.0.0
- name: interface 'svc'
options:
ifname: eth0
proto: static
ipaddr: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address') }}"
netmask: "{{ network_zones.svc.prefix | ipaddr('netmask') }}"
- name: interface 'magenta'
options:
ifname: eth1
proto: static
ipaddr: "{{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets[inventory_hostname]) | ipaddr('address') }}"
netmask: "{{ network_zones.magenta.prefix | ipaddr('netmask') }}"
gateway: "{{ network_zones.magenta.gateway }}"
dns: "{{ network_zones.magenta.dns }}"
- name: interface 'mgmt'
options:
ifname: eth2
proto: static
ipaddr: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address') }}"
netmask: "{{ network_zones.mgmt.prefix | ipaddr('netmask') }}"
- name: route 'lan'
options:
interface: svc
target: "{{ network_zones.lan.prefix | ipaddr('network') }}"
netmask: "{{ network_zones.lan.prefix | ipaddr('netmask') }}"
gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}"
virsh_domxml: |
<domain type='kvm'>
<name>ch-router</name>
<memory>131072</memory>
<currentMemory>131072</currentMemory>
<vcpu>2</vcpu>
<os>
<type arch='x86_64' machine='pc-0.12'>hvm</type>
<kernel>/srv/ch-router/vmlinuz</kernel>
<cmdline>console=ttyS0,115200n8 noinitrd root=/dev/vda</cmdline>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<rng model='virtio'>
<!-- <rate period="2000" bytes="204800"/> -->
<backend model='random'>/dev/random</backend>
</rng>
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/srv/ch-router/rootfs-ext4.img'/>
<target dev='sda' bus='virtio'/>
</disk>
<interface type='bridge'>
<source bridge='br-svc'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x01' function='0x0'/>
</interface>
<interface type='bridge'>
<source bridge='br-magenta'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x02' function='0x0'/>
</interface>
<interface type='bridge'>
<source bridge='br-mgmt'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x03' function='0x0'/>
</interface>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
|
