diff --git a/playbook.yaml b/playbook.yaml index 6ea89af..217f7bd 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -5,24 +5,39 @@ - install - configure vars: + ## Пакеты для установки apps: - networkmanager - modemmanager - iptables - dnsmasq - # - hostapd - # - dhcpd + + ## Конфигурация wifi + # Имя сети wifi_ssid: "test" + # Пароль для сети wifi_psk: "test12345" + # Статический адрес интерфейса и шлюз wifi_int_ip: 10.1.10.1 + # Имя lte модема для настройки NetworkManager LTE_con_name: "LTE" - # dhcpd + + ## dnsmasq + # Время аренды в секундах lease_time: 10800 + # Список DNS серверов для клиентов DHCP в файле /etc/dnsmasq.conf + nameservers: + - 77.88.8.8 + - 77.88.8.1 + # Подсеть subnet: 10.1.10.0 + # Сетевая маска netmask: 255.255.255.0 + # Диапозон выдаваемых IP адресов dnsmasq DHCP range_start: 10.1.10.10 range_end: 10.1.10.200 - default_lease_time: 600 - max_lease_time: 10800 - dns1: 77.88.8.8 - dns2: 77.88.8.1 + # Статические адреса в формате MAC,IP d0:50:99:82:e7:2b,192.168.10.46 + static: + - "d0:50:99:82:e7:2a,10.1.10.10" + - "d0:50:99:82:e7:2b,10.1.10.12" + - "d0:50:99:82:e7:2c,10.1.10.13" \ No newline at end of file diff --git a/roles/configure/tasks/iptables.yaml b/roles/configure/tasks/iptables.yaml new file mode 100644 index 0000000..b5e3868 --- /dev/null +++ b/roles/configure/tasks/iptables.yaml @@ -0,0 +1,153 @@ +- name: Iptables flush + ansible.builtin.iptables: + table: "{{ item.table }}" + chain: "{{ item.chain }}" + flush: yes + loop: + - { table: filter, chain: INPUT } + - { table: filter, chain: FORWARD } + - { table: filter, chain: OUTPUT } + - { table: nat, chain: PREROUTING } + - { table: nat, chain: POSTROUTING } + - { table: nat, chain: INPUT } + - { table: nat, chain: OUTPUT } + - { table: mangle, chain: PREROUTING } + - { table: mangle, chain: FORWARD } + - { table: mangle, chain: OUTPUT } + tags: + - flush +- name: Set default policies + iptables: + chain: "{{ item.chain }}" + policy: ACCEPT + loop: + - { chain: INPUT } + - { chain: OUTPUT } + - { chain: FORWARD } + tags: + - flush +- name: Allow outgoing connections on LAN all + iptables: + chain: OUTPUT + out_interface: "{{ item }}" + jump: ACCEPT + loop: "{{ without_lte.stdout_lines }}" + +- name: Allow loopback traffic + iptables: + chain: INPUT + protocol: all + jump: ACCEPT + in_interface: lo + +- name: Allow loopback traffic for OUTPUT + iptables: + chain: OUTPUT + protocol: all + jump: ACCEPT + out_interface: lo + +- name: Allow ICMP echo-reply + ansible.builtin.iptables: + chain: INPUT + protocol: icmp + icmp_type: echo-reply # Разрешаем ответы на ping + jump: ACCEPT + comment: Allow ICMP echo-reply + state: present + +- name: Allow specific ICMP types + ansible.builtin.iptables: + chain: INPUT + protocol: icmp + jump: ACCEPT + icmp_type: "{{ item }}" + comment: "Allow ICMP {{ item }}" + loop: + - destination-unreachable + - time-exceeded + +- name: Allow ICMP echo-request + ansible.builtin.iptables: + chain: INPUT + protocol: icmp + icmp_type: echo-request # Разрешаем запросы ping + jump: ACCEPT + comment: Allow ICMP echo-request + state: present + +- name: Allow established and related connections + iptables: + chain: "{{ item }}" + protocol: all + jump: ACCEPT + ctstate: + - ESTABLISHED + - RELATED + action: insert + rule_num: 1 + loop: + - INPUT + - OUTPUT + - FORWARD + + +- name: Drop invalid packets on INPUT + iptables: + chain: INPUT + jump: DROP + match: state + ctstate: INVALID + state: present + action: insert + rule_num: 1 +- name: Drop invalid packets on FORWARD + iptables: + chain: FORWARD + jump: DROP + match: state + ctstate: INVALID + state: present + action: insert + rule_num: 1 + +- name: Drop non-SYN packets for new TCP connections in INPUT chain + iptables: + chain: INPUT + protocol: tcp + jump: DROP + match: conntrack + ctstate: NEW + syn: negate # Это эквивалентно '! --syn' + +- name: Drop non-SYN packets for new TCP connections in OUTPUT chain + iptables: + chain: OUTPUT + protocol: tcp + jump: DROP + match: conntrack + ctstate: NEW + syn: negate # Это эквивалентно '! --syn' + +- name: Allow TCP MSS clamping + command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + +- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }} + iptables: + chain: FORWARD + in_interface: "{{ wifi_int.stdout }}" + out_interface: "{{ lte_int.stdout }}" + jump: ACCEPT + action: insert + rule_num: 4 + +- name: Enable masquerading for {{ lte_int.stdout }} + iptables: + chain: POSTROUTING + jump: MASQUERADE + table: nat + out_interface: "{{ lte_int.stdout }}" + +- name: Save iptables rules + command: iptables-save -f /etc/iptables/iptables.rules \ No newline at end of file diff --git a/roles/configure/tasks/main.yaml b/roles/configure/tasks/main.yaml index a8011c4..3ecab24 100644 --- a/roles/configure/tasks/main.yaml +++ b/roles/configure/tasks/main.yaml @@ -33,7 +33,19 @@ service: name: dnsmasq state: stopped - enabled: false +# Отключаем dnsmasq. NetworkManager запускает экземпляр dnsmasq + enabled: false + tags: dnsmasq + +- name: Get physical interfaces without LTE modem interface + command: find /sys/class/net -type l -not -lname '*virtual*' -not -name '*wwp*' -printf '%f\n' + register: without_lte + changed_when: false + check_mode: false + tags: + - dnsmasq + - iptables + - name: Get physical interfaces names WIFI modems command: find /sys/class/net -type l -lname '*wlp*' -printf '%f\n' @@ -51,6 +63,8 @@ template: src: dnsmasq.conf.j2 dest: /etc/dnsmasq.conf + tags: dnsmasq + - name: Configure NetworkManager template: src: NetworkManager.conf.j2 @@ -91,35 +105,18 @@ - name: Run nmcli to activate LTE access point connection command: /usr/bin/nmcli c up {{ LTE_con_name }} -- name: Iptables flush filter - ansible.builtin.iptables: - chain: "{{ item }}" - flush: yes - with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ] +- name: Apply tags to tasks within included file + include_tasks: iptables.yaml + args: + apply: + tags: + - iptables + tags: + - iptables + - flush -- name: Iptables flush nat - ansible.builtin.iptables: - table: nat - chain: '{{ item }}' - flush: yes - with_items: [ 'INPUT', 'OUTPUT', 'PREROUTING', 'POSTROUTING' ] - -- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }} - iptables: - chain: FORWARD - in_interface: "{{ wifi_int.stdout }}" - out_interface: "{{ lte_int.stdout }}" - jump: ACCEPT -- name: Enable masquerading for {{ lte_int.stdout }} - iptables: - chain: POSTROUTING - jump: MASQUERADE - table: nat - out_interface: "{{ lte_int.stdout }}" -- name: Save iptables rules - command: iptables-save -f /etc/iptables/iptables.rules # - name: Configure {{ wifi_int.stdout_lines | first }} interface # template: # src: 25-wireless.network.j2 diff --git a/roles/configure/templates/NetworkManager.conf.j2 b/roles/configure/templates/NetworkManager.conf.j2 index 53a8b17..458e721 100644 --- a/roles/configure/templates/NetworkManager.conf.j2 +++ b/roles/configure/templates/NetworkManager.conf.j2 @@ -1,2 +1,3 @@ +# MANAGED BY ANSIBLE DONT TOUCH BY HANDS # [main] dns=dnsmasq diff --git a/roles/configure/templates/dnsmasq.conf.j2 b/roles/configure/templates/dnsmasq.conf.j2 index 11cd496..6ab2253 100644 --- a/roles/configure/templates/dnsmasq.conf.j2 +++ b/roles/configure/templates/dnsmasq.conf.j2 @@ -1,10 +1,19 @@ -interface={{ wifi_int.stdout_lines | first }} -dhcp-range={{ range_start }},{{ range_end }},2h +# MANAGED BY ANSIBLE DONT TOUCH BY HANDS # +{% for interface in without_lte.stdout_lines %} +interface={{ interface }} +{% endfor %} +{% for nameserver in nameservers %} +server={{ nameserver }} +{% endfor %} +dhcp-range={{ range_start }},{{ range_end }},12h dhcp-option=1,{{ netmask }} dhcp-option=2,{{ lease_time }} # время аренды в секундах dhcp-option=3,{{ wifi_int_ip }} # шлюз по умолчанию -dhcp-option=6,{{ dns1 }} dhcp-authoritative +# Static +{% for mac_ip in static %} +dhcp-host={{ mac_ip }} +{% endfor %} log-queries #log-dhcp -log-facility=/var/log/dnsmasq.log \ No newline at end of file +log-facility=/var/log/dnsmasq.log