external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

Merge pull request #250 from iiab/master

Browse source 
sync from iiab/iiab
This commit is contained in:
A Holt 2019-05-24 00:06:30 -04:00 committed by GitHub
commit 17193b8629
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 222 additions and 127 deletions
Download patch file Download diff file Expand all files Collapse all files

2
roles/lokole/defaults/main.yml
View file

@ -5,7 +5,7 @@
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
# Info needed to install Lokole # Info needed to install Lokole
lokole_version: 0.4.1 lokole_version: 0.4.2
lokole_admin_user: admin # lowercase seems nec here (even though uppercase Admin/changeme is IIAB's OOB recommendation!) lokole_admin_user: admin # lowercase seems nec here (even though uppercase Admin/changeme is IIAB's OOB recommendation!)
lokole_admin_password: changeme lokole_admin_password: changeme
lokole_install_path: "{{ content_base }}/lokole" # /library/lokole lokole_install_path: "{{ content_base }}/lokole" # /library/lokole

8
roles/network/tasks/avahi.yml
View file

@ -12,7 +12,13 @@
owner: avahi owner: avahi
group: avahi group: avahi
mode: 0640 mode: 0640
when: 'gui_wan == True' #when: 'gui_wan == True'
when: ports_externally_visible|int >= 2
# Where "2" means "ssh + http-or-https (for Admin Console's box.lan/admin too)"
# SEE ~18 line explanation in box near:
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L3-L20
# IF >= 2, Admin Console $gui_port from 0-init determines which port (http-or-https) is opened here:
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L133-L138
- name: Find avahi_ver for clean copy of ssh.service (not debuntu) - name: Find avahi_ver for clean copy of ssh.service (not debuntu)
shell: "ls /usr/share/doc/ | grep avahi | head -n1" shell: "ls /usr/share/doc/ | grep avahi | head -n1"

265
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -1,5 +1,31 @@
#!/bin/bash -x #!/bin/bash -x
source {{ iiab_env_file }}
################################################################################
# #
# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN: #
# #
# /etc/iiab/local_vars.yml #
# #
# This firewall variable must be an integer {0...5} as follows: #
# #
# 0 = none #
# 1 = ssh only #
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too) #
# 3 = ssh + http-or-https + common IIAB services <-- THIS IS THE DEFAULT #
# 4 = ssh + http-or-https + common IIAB services + Samba #
# 5 = all but databases #
# #
# Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network #
# #
################################################################################
# To further customize your iptables firewall, it's generally best to edit:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# IIAB Networking Doc:
# https://github.com/iiab/iiab/wiki/IIAB-Networking#firewall-iptables
{% if is_debuntu %} {% if is_debuntu %}
IPTABLES=/sbin/iptables IPTABLES=/sbin/iptables
IPTABLES_DATA=/etc/iptables.up.rules IPTABLES_DATA=/etc/iptables.up.rules
@ -7,159 +33,182 @@ IPTABLES_DATA=/etc/iptables.up.rules
IPTABLES=/usr/sbin/iptables IPTABLES=/usr/sbin/iptables
IPTABLES_DATA=/etc/sysconfig/iptables IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %} {% endif %}
LANIF=$IIAB_LAN_DEVICE
WANIF=$IIAB_WAN_DEVICE
MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
clear_fw() { source {{ iiab_env_file }}
$IPTABLES -F lan=$IIAB_LAN_DEVICE
$IPTABLES -t nat -F wan=$IIAB_WAN_DEVICE
$IPTABLES -X echo -e "\nLAN: $lan"
echo -e "WAN: $wan\n"
#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
#echo -e "Network Mode: $network_mode\n"
# first match wins # "Good thing we replace this file; should be treated like Squid below" ?
# Always accept loopback traffic ports_externally_visible={{ ports_externally_visible }}
$IPTABLES -A INPUT -i lo -j ACCEPT #services_externally_visible={{ services_externally_visible }}
# Always drop rpc
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# mysql
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# postgres - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# couchdb
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
}
if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
clear_fw
# save the rule set
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}
exit 0
fi
lan=$LANIF
wan=$WANIF
# Good thing we replace this file should be treated like squid below
gw_block_https={{ gw_block_https }} gw_block_https={{ gw_block_https }}
ssh_port={{ ssh_port }} ssh_port={{ ssh_port }}
gui_wan={{ gui_wan }} #gui_wan={{ gui_wan }}
gui_port={{ gui_port }} gui_port={{ gui_port }}
iiab_gateway_enabled={{ iiab_gateway_enabled }} iiab_gateway_enabled={{ iiab_gateway_enabled }}
services_externally_visible={{ services_externally_visible }} block_DNS={{ block_DNS }}
calibre_port={{ calibre_port }} calibre_port={{ calibre_port }}
calibreweb_port={{ calibreweb_port }} calibreweb_port={{ calibreweb_port }}
kiwix_port={{ kiwix_port }}
kalite_server_port={{ kalite_server_port }}
kolibri_http_port={{ kolibri_http_port }}
cups_port={{ cups_port }} cups_port={{ cups_port }}
transmission_http_port={{ transmission_http_port }} kalite_server_port={{ kalite_server_port }}
transmission_peer_port={{ transmission_peer_port }} kiwix_port={{ kiwix_port }}
sugarizer_port={{ sugarizer_port }} kolibri_http_port={{ kolibri_http_port }}
nodered_port={{ nodered_port }}
mosquitto_port={{ mosquitto_port }}
minetest_port={{ minetest_port }} minetest_port={{ minetest_port }}
mosquitto_port={{ mosquitto_port }}
nodered_port={{ nodered_port }}
pbx_enabled={{ pbx_enabled }}
pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }} pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }} pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
pbx_data_ports={{ pbx_data_ports }} pbx_data_ports={{ pbx_data_ports }}
pbx_enabled={{ pbx_enabled }} sugarizer_port={{ sugarizer_port }}
samba_enabled={{ samba_enabled }} transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}
samba_udp_ports={{ samba_udp_ports }} samba_udp_ports={{ samba_udp_ports }}
samba_tcp_mports={{ samba_tcp_mports }} samba_tcp_mports={{ samba_tcp_mports }}
block_DNS={{ block_DNS }} echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
echo "LAN is $lan and WAN is $wan" echo "EXITING: an integer is required"
# exit 1
# delete all existing rules. elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
# echo "EXITING: it must be in the range {0...5}"
exit 1
fi
#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
# Load iptables kernel modules
/sbin/modprobe ip_tables /sbin/modprobe ip_tables
/sbin/modprobe iptable_filter /sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat /sbin/modprobe iptable_nat
clear_fw #fi
# Delete all existing firewall rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
# FIRST MATCH WINS - establish iptable rules, starting at the top:
# (verify the resulting rule set by running 'iptables -L -v')
# New to iptables? Run/read 'man iptables' & 'man iptables-extensions'
# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
# Disable access to databases, on LAN-side and WAN-side
# SunRPC
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# MySQL
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# PostgreSQL - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# CouchDB
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
# Allow established connections, and those not coming from the outside # Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
# Allow mDNS # Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
#when run as gateway #if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT if [ "$wan" != "none" ]; then
if [ "$gui_wan" == "True" ]; then # 1 = ssh only
$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT if [ "$ports_externally_visible" -ge 1 ]; then
fi $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
if [ "$services_externally_visible" == "True" ]; then
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
if [ "$pbx_enabled" == "True" ]; then
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
fi fi
if [ "$samba_enabled" == "True" ]; then # 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
if [ "$ports_externally_visible" -ge 2 ]; then
# For now this is implemented using Admin Console variable "gui_port" from:
# https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95
$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
fi
# 3 = ssh + http-or-https + common IIAB services
if [ "$ports_externally_visible" -ge 3 ]; then
$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
if [ "$pbx_enabled" == "True" ]; then
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
fi
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
fi
# 4 = ssh + http-or-https + common IIAB services + Samba
if [ "$ports_externally_visible" -ge 4 ]; then
$IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
fi fi
if [ "$lan" != "none" ]; then
# Typically False, to keep client machines (e.g. students) off the Internet
if [ "$iiab_gateway_enabled" == "True" ]; then
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi
# 3 or 4 IP forwarding rules
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi
# Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
# Enable routing (kernel IP forwarding)
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# 5 = "all but databases"
if [ "$ports_externally_visible" -lt 5 ]; then
# Drop everything else arriving via WAN
$IPTABLES -A INPUT -i $wan -j DROP
fi
fi fi
if [ "$iiab_gateway_enabled" == "True" ]; then # TCP & UDP block of DNS port 53 if truly nec
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
#Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi
# Allow outgoing connections from the LAN side.
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
$IPTABLES -A INPUT -i $wan -j DROP
if [ "$block_DNS" == "True" ]; then if [ "$block_DNS" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi fi
# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
if [ "$HTTPCACHE_ON" == "True" ]; then if [ "$HTTPCACHE_ON" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi fi
# Enable routing. # Save the whole rule set
echo 1 > /proc/sys/net/ipv4/ip_forward
# save the whole rule set now
{% if is_debuntu %} {% if is_debuntu %}
netfilter-persistent save netfilter-persistent save
{% else %} {% else %}
iptables-save > $IPTABLES_DATA iptables-save > $IPTABLES_DATA
{% endif %} {% endif %}
exit 0 exit 0

2
scripts/ansible-2.7.x
View file

@ -1,7 +1,7 @@
#!/bin/bash -e #!/bin/bash -e
CURR_VER="undefined" # Ansible version you currently have installed CURR_VER="undefined" # Ansible version you currently have installed
GOOD_VER="2.7.10" # For XO laptops (pip install) & CentOS (yum install rpm) GOOD_VER="2.7.11" # For XO laptops (pip install) & CentOS (yum install rpm)
# On other OS's we attempt the latest from PPA, which might be more recent # On other OS's we attempt the latest from PPA, which might be more recent
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive

18
vars/default_vars.yml
View file

@ -91,10 +91,20 @@ gui_wan: True
adm_cons_force_ssl: False adm_cons_force_ssl: False
adm_cons_allow_downloads: False adm_cons_allow_downloads: False
# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
# within github.com/iiab/iiab/blob/master/roles/ # Only 1 of the 6 lines below should be uncommented:
services_externally_visible: True #
#ports_externally_visible: 0 # none
#ports_externally_visible: 1 # ssh only
#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too)
ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba
#ports_externally_visible: 5 # all but databases
#
# Or further customize your iptables firewall by editing:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# Gateway and Filters # Gateway and Filters
# Most all implementations use "iiab_gateway_enabled: False" within # Most all implementations use "iiab_gateway_enabled: False" within

18
vars/local_vars_big.yml
View file

@ -40,10 +40,20 @@ host_channel: 6
hostapd_secure: False hostapd_secure: False
hostapd_password: changeme hostapd_password: changeme
# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
# within github.com/iiab/iiab/blob/master/roles/ # Only 1 of the 6 lines below should be uncommented:
services_externally_visible: True #
#ports_externally_visible: 0 # none
#ports_externally_visible: 1 # ssh only
#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too)
ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba
#ports_externally_visible: 5 # all but databases
#
# Or further customize your iptables firewall by editing:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# Make this True if client machines should have access to WAN/Internet: # Make this True if client machines should have access to WAN/Internet:
iiab_gateway_enabled: False iiab_gateway_enabled: False

18
vars/local_vars_medium.yml
View file

@ -40,10 +40,20 @@ host_channel: 6
hostapd_secure: False hostapd_secure: False
hostapd_password: changeme hostapd_password: changeme
# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
# within github.com/iiab/iiab/blob/master/roles/ # Only 1 of the 6 lines below should be uncommented:
services_externally_visible: True #
#ports_externally_visible: 0 # none
#ports_externally_visible: 1 # ssh only
#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too)
ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba
#ports_externally_visible: 5 # all but databases
#
# Or further customize your iptables firewall by editing:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# Make this True if client machines should have access to WAN/Internet: # Make this True if client machines should have access to WAN/Internet:
iiab_gateway_enabled: False iiab_gateway_enabled: False

18
vars/local_vars_min.yml
View file

@ -40,10 +40,20 @@ host_channel: 6
hostapd_secure: False hostapd_secure: False
hostapd_password: changeme hostapd_password: changeme
# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
# within github.com/iiab/iiab/blob/master/roles/ # Only 1 of the 6 lines below should be uncommented:
services_externally_visible: True #
#ports_externally_visible: 0 # none
#ports_externally_visible: 1 # ssh only
#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too)
ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba
#ports_externally_visible: 5 # all but databases
#
# Or further customize your iptables firewall by editing:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# Make this True if client machines should have access to WAN/Internet: # Make this True if client machines should have access to WAN/Internet:
iiab_gateway_enabled: False iiab_gateway_enabled: False