ff

2024-09-03 21:42:54 +03:00
parent 37c37cb98b
commit d1cab7f74f
3 changed files with 144 additions and 115 deletions
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -17,11 +17,17 @@
    wifi_ssid: "test"
    # Пароль для сети 
    wifi_psk: "test12345"
-    # Статический адрес интерфейса и шлюз
+    # Статические адрес интерфейса и шлюз
    wifi_int_ip: 10.1.10.1
    phy_int1: 10.1.10.2
    phy_int2: 10.1.10.3
    # Имя lte модема для настройки NetworkManager
    LTE_con_name: "LTE"
    phy_int1_name: "physical_1"
    phy1_iface_name: "enp89s0"
    phy_int2_name: "physical_2"
    phy2_iface_name: "enp89s0"
    ## dnsmasq
    # Время аренды в секундах
    lease_time: 10800
--- a/roles/configure/tasks/iptables.yaml
+++ b/roles/configure/tasks/iptables.yaml
@@ -26,128 +26,128 @@
    - { chain: FORWARD }
  tags: 
  - flush
-# - name: Allow outgoing connections on LAN all
+- name: Allow outgoing connections on LAN all
-#   iptables:
+  iptables:
-#     chain: OUTPUT
+    chain: OUTPUT
-#     out_interface: "{{ item }}"
+    out_interface: "{{ item }}"
-#     jump: ACCEPT
+    jump: ACCEPT
-#   loop: "{{ without_lte.stdout_lines }}"
+  loop: "{{ without_lte.stdout_lines }}"
-# - name: Allow loopback traffic
+- name: Allow loopback traffic
-#   iptables:
+  iptables:
-#     chain: INPUT
+    chain: INPUT
-#     protocol: all
+    protocol: all
-#     jump: ACCEPT
+    jump: ACCEPT
-#     in_interface: lo
+    in_interface: lo
-# - name: Allow loopback traffic for OUTPUT
+- name: Allow loopback traffic for OUTPUT
-#   iptables:
+  iptables:
-#     chain: OUTPUT
+    chain: OUTPUT
-#     protocol: all
+    protocol: all
-#     jump: ACCEPT
+    jump: ACCEPT
-#     out_interface: lo
+    out_interface: lo
-# - name: Allow ICMP echo-reply
+- name: Allow ICMP echo-reply
-#   ansible.builtin.iptables:
+  ansible.builtin.iptables:
-#     chain: INPUT
+    chain: INPUT
-#     protocol: icmp
+    protocol: icmp
-#     icmp_type: echo-reply  # Разрешаем ответы на ping
+    icmp_type: echo-reply  # Разрешаем ответы на ping
-#     jump: ACCEPT
+    jump: ACCEPT
-#     comment: Allow ICMP echo-reply
+    comment: Allow ICMP echo-reply
-#     state: present
+    state: present
-# - name: Allow specific ICMP types
+- name: Allow specific ICMP types
-#   ansible.builtin.iptables:
+  ansible.builtin.iptables:
-#     chain: INPUT
+    chain: INPUT
-#     protocol: icmp
+    protocol: icmp
-#     jump: ACCEPT
+    jump: ACCEPT
-#     icmp_type: "{{ item }}"
+    icmp_type: "{{ item }}"
-#     comment: "Allow ICMP {{ item }}"
+    comment: "Allow ICMP {{ item }}"
-#   loop:
+  loop:
-#     - destination-unreachable
+    - destination-unreachable
-#     - time-exceeded
+    - time-exceeded
-# - name: Allow ICMP echo-request
+- name: Allow ICMP echo-request
-#   ansible.builtin.iptables:
+  ansible.builtin.iptables:
-#     chain: INPUT
+    chain: INPUT
-#     protocol: icmp
+    protocol: icmp
-#     icmp_type: echo-request  # Разрешаем запросы ping
+    icmp_type: echo-request  # Разрешаем запросы ping
-#     jump: ACCEPT
+    jump: ACCEPT
-#     comment: Allow ICMP echo-request
+    comment: Allow ICMP echo-request
-#     state: present
+    state: present
-# - name: Allow established and related connections
+- name: Allow established and related connections
-#   iptables:
+  iptables:
-#     chain: "{{ item }}"
+    chain: "{{ item }}"
-#     protocol: all
+    protocol: all
-#     jump: ACCEPT
+    jump: ACCEPT
-#     ctstate:
+    ctstate:
-#       - ESTABLISHED
+      - ESTABLISHED
-#       - RELATED
+      - RELATED
-#     action: insert
+    action: insert
-#     rule_num: 1
+    rule_num: 1
-#   loop:
+  loop:
-#     - INPUT
+    - INPUT
-#     - OUTPUT
+    - OUTPUT
-#     - FORWARD
+    - FORWARD
-# - name: Drop invalid packets on INPUT
+- name: Drop invalid packets on INPUT
-#   iptables:
+  iptables:
-#     chain: INPUT
+    chain: INPUT
-#     jump: DROP
+    jump: DROP
-#     match: state
+    match: state
-#     ctstate: INVALID
+    ctstate: INVALID
-#     state: present
+    state: present
-#     action: insert
+    action: insert
-#     rule_num: 1
+    rule_num: 1
-# - name: Drop invalid packets on FORWARD
+- name: Drop invalid packets on FORWARD
-#   iptables:
+  iptables:
-#     chain: FORWARD
+    chain: FORWARD
-#     jump: DROP
+    jump: DROP
-#     match: state
+    match: state
-#     ctstate: INVALID
+    ctstate: INVALID
-#     state: present
+    state: present
-#     action: insert
+    action: insert
-#     rule_num: 1
+    rule_num: 1
-# - name: Drop non-SYN packets for new TCP connections in INPUT chain
+- name: Drop non-SYN packets for new TCP connections in INPUT chain
-#   iptables:
+  iptables:
-#     chain: INPUT
+    chain: INPUT
-#     protocol: tcp
+    protocol: tcp
-#     jump: DROP
+    jump: DROP
-#     match: conntrack
+    match: conntrack
-#     ctstate: NEW
+    ctstate: NEW
-#     syn: negate  # Это эквивалентно '! --syn'
+    syn: negate  # Это эквивалентно '! --syn'
-# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
+- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
-#   iptables:
+  iptables:
-#     chain: OUTPUT
+    chain: OUTPUT
-#     protocol: tcp
+    protocol: tcp
-#     jump: DROP
+    jump: DROP
-#     match: conntrack
+    match: conntrack
-#     ctstate: NEW
+    ctstate: NEW
-#     syn: negate  # Это эквивалентно '! --syn'
+    syn: negate  # Это эквивалентно '! --syn'
-# - name: Allow TCP MSS clamping
+- name: Allow TCP MSS clamping
-#   command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-# - name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
+- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
-#   iptables:
+  iptables:
-#     chain: FORWARD
+    chain: FORWARD
-#     in_interface: "{{ wifi_int.stdout }}"
+    source: "{{ subnet }}/24"
-#     out_interface: "{{ lte_int.stdout }}"
+    out_interface: "{{ lte_int.stdout }}"
-#     jump: ACCEPT
+    jump: ACCEPT
-#     action: insert
+    action: insert
-#     rule_num: 3 
+    rule_num: 3 
-# - name: Enable masquerading for {{ lte_int.stdout }}
+- name: Enable masquerading for {{ lte_int.stdout }}
-#   iptables:
+  iptables:
-#     chain: POSTROUTING
+    chain: POSTROUTING
-#     jump: MASQUERADE
+    jump: MASQUERADE
-#     table: nat
+    table: nat
-#     out_interface: "{{ lte_int.stdout }}"
+    out_interface: "{{ lte_int.stdout }}"
-# - name: Save iptables rules
+- name: Save iptables rules
-#   command: iptables-save -f /etc/iptables/iptables.rules
+  command: iptables-save -f /etc/iptables/iptables.rules
--- a/roles/configure/tasks/main.yaml
+++ b/roles/configure/tasks/main.yaml
@@ -76,17 +76,40 @@
  register: nmcli_result
  ignore_errors: True
- name: Check result nmcli
+- name: Check result nmcli {{ wifi_ssid }}
  set_fact:
    nmcli_failed: "{{ nmcli_result.rc != 0 }}"
 # - name: Run nmcli to check if phy1 connection has already been added
 #   shell: /usr/bin/nmcli c | grep {{ phy_int1_name }}
 #   register: phy1_result
 #   ignore_errors: True
 # - name: Check result nmcli {{ phy_int1_name }}
 #   set_fact:
 #     phy1_failed: "{{ phy1_result.rc != 0 }}"
 - name: Run nmcli to check if phy2 connection has already been added
  shell: /usr/bin/nmcli c | grep {{ phy_int2_name }}
  register: phy2_result
  ignore_errors: True
 - name: Check result nmcli {{ phy_int2_name }}
  set_fact:
    phy2_failed: "{{ phy2_result.rc != 0 }}"
 - name: Run nmcli to add a connection with the specified parameters as a wifi access point if above check has failed
  command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ wifi_ssid }} ifname {{ wifi_int.stdout }} type wifi ssid {{ wifi_ssid }} mode ap ip4 {{ wifi_int_ip }}
  when: nmcli_failed
- name: Configure physical interface
+# - name: Configure physical interface 1
-  command: /usr/bin/nmcli c add autoconnect yes save yes con-name eth1 ifname enp90s0 type ethernet ipv4.method manual ipv4.address 10.1.10.2
+#   command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ phy_int1_name }} ifname {{ phy1_iface_name }} type ethernet ipv4.method shared ipv4.address {{ phy_int1 }}
-  when: nmcli_failed
+#   when: phy1_failed
 - name: Configure physical interface 1
  command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ phy_int2_name }} ifname {{ phy2_iface_name }} type ethernet ipv4.method shared ipv4.address {{ phy_int2 }}
  when: phy2_failed
 - name: Run nmcli to add a connection LTE
  command: /usr/bin/nmcli c add autoconnect yes save yes con-name {{ LTE_con_name }} ifname cdc-wdm0 type gsm apn "internet"