1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00

Cleaner network/templates/gateway/iiab-gen-iptables & 2-common prep

This commit is contained in:
root 2021-08-18 01:47:03 -04:00
parent 2634fa207b
commit f7d2468f6a
3 changed files with 22 additions and 15 deletions

View file

@ -15,15 +15,17 @@
name: name:
- hostapd # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired - hostapd # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
- iproute2 # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools - iproute2 # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
- iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however 'netfilter' is ever moving forward so keep an eye on it! - iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
- netmask # Handy utility -- helps determine network masks - netmask # Handy utility -- helps determine network masks
state: present state: present
- name: Install /etc/network/if-pre-up.d/iptables from template (0755, debuntu) # 2021-08-17: Debian ignores this, according to 2013 post:
template: # https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables
src: iptables # - name: Install /etc/network/if-pre-up.d/iptables from template (0755)
dest: /etc/network/if-pre-up.d/iptables # template:
mode: '0755' # src: iptables
# dest: /etc/network/if-pre-up.d/iptables
# mode: '0755'
# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes: # Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)" - name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"

View file

@ -50,15 +50,20 @@ iiab_var_value() {
[ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS [ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS
} }
source {{ iiab_env_file }} source /etc/iiab/iiab.env
lan=$IIAB_LAN_DEVICE lan=$IIAB_LAN_DEVICE
wan=$IIAB_WAN_DEVICE wan=$IIAB_WAN_DEVICE
iiab_gateway_enabled=$IIAB_GATEWAY_ENABLED iiab_gateway_enabled=$IIAB_GATEWAY_ENABLED
# iiab_gateway_enabled=$(iiab_var_value iiab_gateway_enabled) echo
echo -e "\nLAN: $lan" echo "Extracted 3 network vars from /etc/iiab/iiab.env :"
echo -e "WAN: $wan\n" echo
#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'` echo "lan: $lan"
echo "wan: $wan"
echo "iiab_gateway_enabled: $iiab_gateway_enabled"
echo
#network_mode=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
#echo -e "Network Mode: $network_mode\n" #echo -e "Network Mode: $network_mode\n"
lan_ip=$(iiab_var_value lan_ip) # 172.18.96.1
ports_externally_visible=$(iiab_var_value ports_externally_visible) ports_externally_visible=$(iiab_var_value ports_externally_visible)
gw_block_https=$(iiab_var_value gw_block_https) gw_block_https=$(iiab_var_value gw_block_https)
@ -199,7 +204,7 @@ if [ "$wan" != "none" ]; then
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block https traffic except if directed at server # Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP $IPTABLES -A FORWARD -p tcp ! -d $lan_ip --dport 443 -j DROP
fi fi
# Allow outgoing connections from the LAN side # Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
@ -218,13 +223,13 @@ fi
# TCP & UDP block of DNS port 53 if truly nec # TCP & UDP block of DNS port 53 if truly nec
if [ "$block_DNS" == "True" ]; then if [ "$block_DNS" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d $lan_ip -j DNAT --to $lan_ip:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d $lan_ip -j DNAT --to $lan_ip:53
fi fi
# if [ "$HTTPCACHE_ON" == "True" ]; then # Via /etc/iiab/iiab.env # if [ "$HTTPCACHE_ON" == "True" ]; then # Via /etc/iiab/iiab.env
if [ "$squid_enabled" == "True" ]; then # Direct from default_vars.yml and local_vars.yml if [ "$squid_enabled" == "True" ]; then # Direct from default_vars.yml and local_vars.yml
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d $lan_ip -j DNAT --to $lan_ip:3128
fi fi
# Save the whole rule set # Save the whole rule set