From d1cab7f74f164d17468f7527e77f6af5834606f7 Mon Sep 17 00:00:00 2001
From: Aleksandr Malyavin <nuc7ear@gmail.com>
Date: Tue, 3 Sep 2024 21:42:54 +0300
Subject: [PATCH] ff

---
 playbook.yaml                       |   8 +-
 roles/configure/tasks/iptables.yaml | 220 ++++++++++++++--------------
 roles/configure/tasks/main.yaml     |  31 +++-
 3 files changed, 144 insertions(+), 115 deletions(-)

diff --git a/playbook.yaml b/playbook.yaml
index 217f7bd..48492e5 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -17,11 +17,17 @@
     wifi_ssid: "test"
     # Пароль для сети 
     wifi_psk: "test12345"
-    # Статический адрес интерфейса и шлюз
+    # Статические адрес интерфейса и шлюз
     wifi_int_ip: 10.1.10.1
+    phy_int1: 10.1.10.2
+    phy_int2: 10.1.10.3
     # Имя lte модема для настройки NetworkManager
     LTE_con_name: "LTE"
 
+    phy_int1_name: "physical_1"
+    phy1_iface_name: "enp89s0"
+    phy_int2_name: "physical_2"
+    phy2_iface_name: "enp89s0"
     ## dnsmasq
     # Время аренды в секундах
     lease_time: 10800
diff --git a/roles/configure/tasks/iptables.yaml b/roles/configure/tasks/iptables.yaml
index 255b58d..2580674 100644
--- a/roles/configure/tasks/iptables.yaml
+++ b/roles/configure/tasks/iptables.yaml
@@ -26,128 +26,128 @@
     - { chain: FORWARD }
   tags: 
   - flush
-# - name: Allow outgoing connections on LAN all
-#   iptables:
-#     chain: OUTPUT
-#     out_interface: "{{ item }}"
-#     jump: ACCEPT
-#   loop: "{{ without_lte.stdout_lines }}"
+- name: Allow outgoing connections on LAN all
+  iptables:
+    chain: OUTPUT
+    out_interface: "{{ item }}"
+    jump: ACCEPT
+  loop: "{{ without_lte.stdout_lines }}"
 
-# - name: Allow loopback traffic
-#   iptables:
-#     chain: INPUT
-#     protocol: all
-#     jump: ACCEPT
-#     in_interface: lo
+- name: Allow loopback traffic
+  iptables:
+    chain: INPUT
+    protocol: all
+    jump: ACCEPT
+    in_interface: lo
     
-# - name: Allow loopback traffic for OUTPUT
-#   iptables:
-#     chain: OUTPUT
-#     protocol: all
-#     jump: ACCEPT
-#     out_interface: lo
+- name: Allow loopback traffic for OUTPUT
+  iptables:
+    chain: OUTPUT
+    protocol: all
+    jump: ACCEPT
+    out_interface: lo
 
-# - name: Allow ICMP echo-reply
-#   ansible.builtin.iptables:
-#     chain: INPUT
-#     protocol: icmp
-#     icmp_type: echo-reply  # Разрешаем ответы на ping
-#     jump: ACCEPT
-#     comment: Allow ICMP echo-reply
-#     state: present
+- name: Allow ICMP echo-reply
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    icmp_type: echo-reply  # Разрешаем ответы на ping
+    jump: ACCEPT
+    comment: Allow ICMP echo-reply
+    state: present
     
-# - name: Allow specific ICMP types
-#   ansible.builtin.iptables:
-#     chain: INPUT
-#     protocol: icmp
-#     jump: ACCEPT
-#     icmp_type: "{{ item }}"
-#     comment: "Allow ICMP {{ item }}"
-#   loop:
-#     - destination-unreachable
-#     - time-exceeded
+- name: Allow specific ICMP types
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    jump: ACCEPT
+    icmp_type: "{{ item }}"
+    comment: "Allow ICMP {{ item }}"
+  loop:
+    - destination-unreachable
+    - time-exceeded
     
-# - name: Allow ICMP echo-request
-#   ansible.builtin.iptables:
-#     chain: INPUT
-#     protocol: icmp
-#     icmp_type: echo-request  # Разрешаем запросы ping
-#     jump: ACCEPT
-#     comment: Allow ICMP echo-request
-#     state: present
+- name: Allow ICMP echo-request
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    icmp_type: echo-request  # Разрешаем запросы ping
+    jump: ACCEPT
+    comment: Allow ICMP echo-request
+    state: present
 
-# - name: Allow established and related connections
-#   iptables:
-#     chain: "{{ item }}"
-#     protocol: all
-#     jump: ACCEPT
-#     ctstate:
-#       - ESTABLISHED
-#       - RELATED
-#     action: insert
-#     rule_num: 1
-#   loop:
-#     - INPUT
-#     - OUTPUT
-#     - FORWARD
+- name: Allow established and related connections
+  iptables:
+    chain: "{{ item }}"
+    protocol: all
+    jump: ACCEPT
+    ctstate:
+      - ESTABLISHED
+      - RELATED
+    action: insert
+    rule_num: 1
+  loop:
+    - INPUT
+    - OUTPUT
+    - FORWARD
   
 
-# - name: Drop invalid packets on INPUT
-#   iptables:
-#     chain: INPUT
-#     jump: DROP
-#     match: state
-#     ctstate: INVALID
-#     state: present
-#     action: insert
-#     rule_num: 1
-# - name: Drop invalid packets on FORWARD
-#   iptables:
-#     chain: FORWARD
-#     jump: DROP
-#     match: state
-#     ctstate: INVALID
-#     state: present
-#     action: insert
-#     rule_num: 1
+- name: Drop invalid packets on INPUT
+  iptables:
+    chain: INPUT
+    jump: DROP
+    match: state
+    ctstate: INVALID
+    state: present
+    action: insert
+    rule_num: 1
+- name: Drop invalid packets on FORWARD
+  iptables:
+    chain: FORWARD
+    jump: DROP
+    match: state
+    ctstate: INVALID
+    state: present
+    action: insert
+    rule_num: 1
 
-# - name: Drop non-SYN packets for new TCP connections in INPUT chain
-#   iptables:
-#     chain: INPUT
-#     protocol: tcp
-#     jump: DROP
-#     match: conntrack
-#     ctstate: NEW
-#     syn: negate  # Это эквивалентно '! --syn'
+- name: Drop non-SYN packets for new TCP connections in INPUT chain
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    jump: DROP
+    match: conntrack
+    ctstate: NEW
+    syn: negate  # Это эквивалентно '! --syn'
 
-# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
-#   iptables:
-#     chain: OUTPUT
-#     protocol: tcp
-#     jump: DROP
-#     match: conntrack
-#     ctstate: NEW
-#     syn: negate  # Это эквивалентно '! --syn'
+- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
+  iptables:
+    chain: OUTPUT
+    protocol: tcp
+    jump: DROP
+    match: conntrack
+    ctstate: NEW
+    syn: negate  # Это эквивалентно '! --syn'
     
-# - name: Allow TCP MSS clamping
-#   command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+- name: Allow TCP MSS clamping
+  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 
-# - name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
-#   iptables:
-#     chain: FORWARD
-#     in_interface: "{{ wifi_int.stdout }}"
-#     out_interface: "{{ lte_int.stdout }}"
-#     jump: ACCEPT
-#     action: insert
-#     rule_num: 3 
+- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
+  iptables:
+    chain: FORWARD
+    source: "{{ subnet }}/24"
+    out_interface: "{{ lte_int.stdout }}"
+    jump: ACCEPT
+    action: insert
+    rule_num: 3 
 
-# - name: Enable masquerading for {{ lte_int.stdout }}
-#   iptables:
-#     chain: POSTROUTING
-#     jump: MASQUERADE
-#     table: nat
-#     out_interface: "{{ lte_int.stdout }}"
+- name: Enable masquerading for {{ lte_int.stdout }}
+  iptables:
+    chain: POSTROUTING
+    jump: MASQUERADE
+    table: nat
+    out_interface: "{{ lte_int.stdout }}"
 
-# - name: Save iptables rules
-#   command: iptables-save -f /etc/iptables/iptables.rules
\ No newline at end of file
+- name: Save iptables rules
+  command: iptables-save -f /etc/iptables/iptables.rules
\ No newline at end of file
diff --git a/roles/configure/tasks/main.yaml b/roles/configure/tasks/main.yaml
index e7ca070..0901db7 100644
--- a/roles/configure/tasks/main.yaml
+++ b/roles/configure/tasks/main.yaml
@@ -76,17 +76,40 @@
   register: nmcli_result
   ignore_errors: True
 
-- name: Check result nmcli
+- name: Check result nmcli {{ wifi_ssid }}
   set_fact:
     nmcli_failed: "{{ nmcli_result.rc != 0 }}"
 
+# - name: Run nmcli to check if phy1 connection has already been added
+#   shell: /usr/bin/nmcli c | grep {{ phy_int1_name }}
+#   register: phy1_result
+#   ignore_errors: True
+
+# - name: Check result nmcli {{ phy_int1_name }}
+#   set_fact:
+#     phy1_failed: "{{ phy1_result.rc != 0 }}"
+
+- name: Run nmcli to check if phy2 connection has already been added
+  shell: /usr/bin/nmcli c | grep {{ phy_int2_name }}
+  register: phy2_result
+  ignore_errors: True
+
+- name: Check result nmcli {{ phy_int2_name }}
+  set_fact:
+    phy2_failed: "{{ phy2_result.rc != 0 }}"
+
 - name: Run nmcli to add a connection with the specified parameters as a wifi access point if above check has failed
   command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ wifi_ssid }} ifname {{ wifi_int.stdout }} type wifi ssid {{ wifi_ssid }} mode ap ip4 {{ wifi_int_ip }}
   when: nmcli_failed
 
-- name: Configure physical interface
-  command: /usr/bin/nmcli c add autoconnect yes save yes con-name eth1 ifname enp90s0 type ethernet ipv4.method manual ipv4.address 10.1.10.2
-  when: nmcli_failed
+# - name: Configure physical interface 1
+#   command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ phy_int1_name }} ifname {{ phy1_iface_name }} type ethernet ipv4.method shared ipv4.address {{ phy_int1 }}
+#   when: phy1_failed
+
+- name: Configure physical interface 1
+  command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ phy_int2_name }} ifname {{ phy2_iface_name }} type ethernet ipv4.method shared ipv4.address {{ phy_int2 }}
+  when: phy2_failed
+
 - name: Run nmcli to add a connection LTE
   command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ LTE_con_name }} ifname cdc-wdm0 type gsm apn "internet"