ff

playbook.yaml

@@ -5,24 +5,39 @@
     - install
     - configure
   vars:
+    ## Пакеты для установки
     apps:
     - networkmanager
     - modemmanager
     - iptables
     - dnsmasq
-    # - hostapd
-    # - dhcpd
+
+    ## Конфигурация wifi
+    # Имя сети
     wifi_ssid: "test"
+    # Пароль для сети 
     wifi_psk: "test12345"
+    # Статический адрес интерфейса и шлюз
     wifi_int_ip: 10.1.10.1
+    # Имя lte модема для настройки NetworkManager
     LTE_con_name: "LTE"
-    # dhcpd
+
+    ## dnsmasq
+    # Время аренды в секундах
     lease_time: 10800
+    # Список DNS серверов для клиентов DHCP в файле /etc/dnsmasq.conf
+    nameservers:
+    - 77.88.8.8
+    - 77.88.8.1
+    # Подсеть
     subnet: 10.1.10.0
+    # Сетевая маска
     netmask: 255.255.255.0
+    # Диапозон выдаваемых IP адресов dnsmasq DHCP
     range_start: 10.1.10.10
     range_end: 10.1.10.200
-    default_lease_time: 600
-    max_lease_time: 10800
-    dns1: 77.88.8.8
-    dns2: 77.88.8.1
+    # Статические адреса в формате MAC,IP d0:50:99:82:e7:2b,192.168.10.46
+    static:
+    - "d0:50:99:82:e7:2a,10.1.10.10"
+    - "d0:50:99:82:e7:2b,10.1.10.12"
+    - "d0:50:99:82:e7:2c,10.1.10.13"

roles/configure/tasks/iptables.yaml

@@ -0,0 +1,153 @@
+- name: Iptables flush
+  ansible.builtin.iptables:
+    table: "{{ item.table }}"
+    chain: "{{ item.chain }}"
+    flush: yes
+  loop:
+    - { table: filter, chain: INPUT }
+    - { table: filter, chain: FORWARD }
+    - { table: filter, chain: OUTPUT }
+    - { table: nat, chain: PREROUTING }
+    - { table: nat, chain: POSTROUTING }
+    - { table: nat, chain: INPUT }
+    - { table: nat, chain: OUTPUT }
+    - { table: mangle, chain: PREROUTING }
+    - { table: mangle, chain: FORWARD }
+    - { table: mangle, chain: OUTPUT }
+  tags: 
+  - flush
+- name: Set default policies
+  iptables:
+    chain: "{{ item.chain }}"
+    policy: ACCEPT
+  loop:
+    - { chain: INPUT }
+    - { chain: OUTPUT }
+    - { chain: FORWARD }
+  tags: 
+  - flush
+- name: Allow outgoing connections on LAN all
+  iptables:
+    chain: OUTPUT
+    out_interface: "{{ item }}"
+    jump: ACCEPT
+  loop: "{{ without_lte.stdout_lines }}"
+
+- name: Allow loopback traffic
+  iptables:
+    chain: INPUT
+    protocol: all
+    jump: ACCEPT
+    in_interface: lo
+    
+- name: Allow loopback traffic for OUTPUT
+  iptables:
+    chain: OUTPUT
+    protocol: all
+    jump: ACCEPT
+    out_interface: lo
+
+- name: Allow ICMP echo-reply
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    icmp_type: echo-reply  # Разрешаем ответы на ping
+    jump: ACCEPT
+    comment: Allow ICMP echo-reply
+    state: present
+    
+- name: Allow specific ICMP types
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    jump: ACCEPT
+    icmp_type: "{{ item }}"
+    comment: "Allow ICMP {{ item }}"
+  loop:
+    - destination-unreachable
+    - time-exceeded
+    
+- name: Allow ICMP echo-request
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    icmp_type: echo-request  # Разрешаем запросы ping
+    jump: ACCEPT
+    comment: Allow ICMP echo-request
+    state: present
+
+- name: Allow established and related connections
+  iptables:
+    chain: "{{ item }}"
+    protocol: all
+    jump: ACCEPT
+    ctstate:
+      - ESTABLISHED
+      - RELATED
+    action: insert
+    rule_num: 1
+  loop:
+    - INPUT
+    - OUTPUT
+    - FORWARD
+  
+
+- name: Drop invalid packets on INPUT
+  iptables:
+    chain: INPUT
+    jump: DROP
+    match: state
+    ctstate: INVALID
+    state: present
+    action: insert
+    rule_num: 1
+- name: Drop invalid packets on FORWARD
+  iptables:
+    chain: FORWARD
+    jump: DROP
+    match: state
+    ctstate: INVALID
+    state: present
+    action: insert
+    rule_num: 1
+
+- name: Drop non-SYN packets for new TCP connections in INPUT chain
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    jump: DROP
+    match: conntrack
+    ctstate: NEW
+    syn: negate  # Это эквивалентно '! --syn'
+
+- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
+  iptables:
+    chain: OUTPUT
+    protocol: tcp
+    jump: DROP
+    match: conntrack
+    ctstate: NEW
+    syn: negate  # Это эквивалентно '! --syn'
+    
+- name: Allow TCP MSS clamping
+  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+
+- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
+  iptables:
+    chain: FORWARD
+    in_interface: "{{ wifi_int.stdout }}"
+    out_interface: "{{ lte_int.stdout }}"
+    jump: ACCEPT
+    action: insert
+    rule_num: 4 
+
+- name: Enable masquerading for {{ lte_int.stdout }}
+  iptables:
+    chain: POSTROUTING
+    jump: MASQUERADE
+    table: nat
+    out_interface: "{{ lte_int.stdout }}"
+
+- name: Save iptables rules
+  command: iptables-save -f /etc/iptables/iptables.rules

roles/configure/tasks/main.yaml

@@ -33,7 +33,19 @@
   service: 
     name: dnsmasq
     state: stopped
+# Отключаем dnsmasq. NetworkManager запускает экземпляр dnsmasq
     enabled: false 
+  tags: dnsmasq
+
+- name: Get physical interfaces without LTE modem interface
+  command: find /sys/class/net -type l -not -lname '*virtual*' -not -name '*wwp*' -printf '%f\n' 
+  register: without_lte
+  changed_when: false
+  check_mode: false
+  tags: 
+  - dnsmasq
+  - iptables
+
 
 - name: Get physical interfaces names WIFI modems
   command: find /sys/class/net -type l -lname '*wlp*' -printf '%f\n' 
@@ -51,6 +63,8 @@
   template:
     src: dnsmasq.conf.j2
     dest: /etc/dnsmasq.conf
+  tags: dnsmasq
+
 - name: Configure NetworkManager
   template:
     src: NetworkManager.conf.j2
@@ -91,35 +105,18 @@
 - name: Run nmcli to activate LTE access point connection
   command: /usr/bin/nmcli c up {{ LTE_con_name }}
 
-- name: Iptables flush filter
-  ansible.builtin.iptables:
-    chain: "{{ item }}"
-    flush: yes
-  with_items:  [ 'INPUT', 'FORWARD', 'OUTPUT' ]
+- name: Apply tags to tasks within included file
+  include_tasks: iptables.yaml
+  args:
+    apply:
+      tags:
+        - iptables
+  tags:
+    - iptables
+    - flush
 
-- name: Iptables flush nat
-  ansible.builtin.iptables:
-    table: nat
-    chain: '{{ item }}'
-    flush: yes
-  with_items: [ 'INPUT', 'OUTPUT', 'PREROUTING', 'POSTROUTING' ]
 
-- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
-  iptables:
-    chain: FORWARD
-    in_interface: "{{ wifi_int.stdout }}"
-    out_interface: "{{ lte_int.stdout }}"
-    jump: ACCEPT
 
-- name: Enable masquerading for {{ lte_int.stdout }}
-  iptables:
-    chain: POSTROUTING
-    jump: MASQUERADE
-    table: nat
-    out_interface: "{{ lte_int.stdout }}"
-
-- name: Save iptables rules
-  command: iptables-save -f /etc/iptables/iptables.rules
 # - name: Configure {{ wifi_int.stdout_lines | first }} interface
 #   template:
 #     src: 25-wireless.network.j2

roles/configure/templates/NetworkManager.conf.j2

@@ -1,2 +1,3 @@
+# MANAGED BY ANSIBLE DONT TOUCH BY HANDS #
 [main]
 dns=dnsmasq

roles/configure/templates/dnsmasq.conf.j2

@@ -1,10 +1,19 @@
-interface={{ wifi_int.stdout_lines | first }}
-dhcp-range={{ range_start }},{{ range_end }},2h
+# MANAGED BY ANSIBLE DONT TOUCH BY HANDS #
+{% for interface in without_lte.stdout_lines %}
+interface={{ interface }}
+{% endfor %}
+{% for nameserver in nameservers %}
+server={{ nameserver }}
+{% endfor %}
+dhcp-range={{ range_start }},{{ range_end }},12h
 dhcp-option=1,{{ netmask }}
 dhcp-option=2,{{ lease_time }} # время аренды в секундах
 dhcp-option=3,{{ wifi_int_ip }} # шлюз по умолчанию
-dhcp-option=6,{{ dns1 }}
 dhcp-authoritative
+# Static
+{% for mac_ip in static %}
+dhcp-host={{ mac_ip }}
+{% endfor %}
 log-queries
 #log-dhcp
 log-facility=/var/log/dnsmasq.log