From 5135c2111e3074e92ac7a728860d15f48236d9aa Mon Sep 17 00:00:00 2001 From: Nils Jakobi Date: Tue, 7 Apr 2020 21:40:58 +0200 Subject: [PATCH] first draft --- config/awall/optional/icmp.yaml | 7 +++ config/awall/optional/main.yaml | 4 ++ config/awall/optional/ssh.yaml | 7 +++ config/awall/private/base.yaml | 30 ++++++++++ config/dnsmasq/dnsmasq.conf | 54 ++++++++++++++++++ config/dnsmasq/hosts | 7 +++ config/interface-config | 20 +++++++ dhcp.yml | 99 +++++++++++++++++++++++++++++++++ inventory.yml | 6 ++ 9 files changed, 234 insertions(+) create mode 100644 config/awall/optional/icmp.yaml create mode 100644 config/awall/optional/main.yaml create mode 100644 config/awall/optional/ssh.yaml create mode 100644 config/awall/private/base.yaml create mode 100644 config/dnsmasq/dnsmasq.conf create mode 100644 config/dnsmasq/hosts create mode 100644 config/interface-config create mode 100644 dhcp.yml create mode 100644 inventory.yml diff --git a/config/awall/optional/icmp.yaml b/config/awall/optional/icmp.yaml new file mode 100644 index 0000000..b09c15d --- /dev/null +++ b/config/awall/optional/icmp.yaml @@ -0,0 +1,7 @@ +--- +description: Allow ping on WAN +filter: +- in: WAN + out: _fw + service: ping + action: accept diff --git a/config/awall/optional/main.yaml b/config/awall/optional/main.yaml new file mode 100644 index 0000000..bc937d6 --- /dev/null +++ b/config/awall/optional/main.yaml @@ -0,0 +1,4 @@ +--- +description: Main firewall +import: +- base diff --git a/config/awall/optional/ssh.yaml b/config/awall/optional/ssh.yaml new file mode 100644 index 0000000..4769adb --- /dev/null +++ b/config/awall/optional/ssh.yaml @@ -0,0 +1,7 @@ +--- +description: Allow SSH on WAN +filter: +- in: WAN + out: _fw + service: ssh + action: accept diff --git a/config/awall/private/base.yaml b/config/awall/private/base.yaml new file mode 100644 index 0000000..c494cde --- /dev/null +++ b/config/awall/private/base.yaml @@ -0,0 +1,30 @@ +--- +description: Base zones and policies +zone: + WAN: + iface: wan + LAN: + iface: lan + +policy: +- in: LAN + action: accept + +- out: LAN + action: accept + +- in: _fw + action: accept + +- in: _fw + out: WAN + action: accept + +- in: WAN + action: drop + +snat: +- out: WAN + +clamp-mss: +- out: WAN diff --git a/config/dnsmasq/dnsmasq.conf b/config/dnsmasq/dnsmasq.conf new file mode 100644 index 0000000..7cf510d --- /dev/null +++ b/config/dnsmasq/dnsmasq.conf @@ -0,0 +1,54 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Never forward plain names (without a dot or domain part) +domain-needed +# Never forward addresses in the non-routed address spaces. +bogus-priv + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +local=/hetzner.ffrs/ + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 +server=1.1.1.1 +server=1.0.0.1 +#server=2606:4700:4700::1111@ppp0 +#server=2606:4700:4700::1001@ppp0 + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +interface=lan + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +domain=hetzner.ffrs + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +dhcp-range=172.16.0.100,172.16.0.200,12h + +# do not read /etc/resolv.conf +no-resolv + +log-facility=/var/log/dnsmasq.log +log-queries +log-async + +# Include all files in a directory which end in .conf +conf-dir=/etc/dnsmasq.d/,*.conf diff --git a/config/dnsmasq/hosts b/config/dnsmasq/hosts new file mode 100644 index 0000000..dd0ef8e --- /dev/null +++ b/config/dnsmasq/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost.localdomain localhost +::1 ipv6-gateway ipv6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +10.22.0.1 firewall firewall.jakobi.duckdns.org diff --git a/config/interface-config b/config/interface-config new file mode 100644 index 0000000..70877d5 --- /dev/null +++ b/config/interface-config @@ -0,0 +1,20 @@ +# Loopback interface; nothing complex here +auto lo +iface lo inet loopback + address 127.0.0.1 + netmask 255.0.0.0 + +auto lan +iface lan inet static + address 172.16.0.1 + netmask 255.255.255.0 + broadcast 172.16.0.255 + up ip route add blackhole 10.0.0.0/8 + up ip route add blackhole 172.16.0.0/12 + up ip route add blackhole 192.168.0.0/16 + +auto wan +iface wan inet static + address 46.4.156.126 + netmask 225.255.255.240 + gateway 46.4.156.113 diff --git a/dhcp.yml b/dhcp.yml new file mode 100644 index 0000000..3b9bb6b --- /dev/null +++ b/dhcp.yml @@ -0,0 +1,99 @@ +- hosts: h1-126 + tasks: + - name: Install software + become: yes + package: + name: + - awall + - dnsmasq + - htop + - vim + state: present + + - name: enable dnsmasq service + become: yes + service: + name: dnsmasq + enabled: yes + state: started + + - name: Configure SSHD + become: yes + lineinfile: + path: /etc/ssh/sshd_config + state: present + regexp: "PermitRootLogin" + line: "PermitRootLogin yes" + create: yes + notify: restart SSHD service + + - name: add requirements in sysctl + become: yes + blockinfile: + path: /etc/sysctl.conf + insertafter: EOF + block: | + # Enable IPv4 forwarding + net.ipv4.ip_forward = 1 + + - name: configuring interfaces + become: yes + copy: + src: 'config/interface-config' + dest: '/etc/network/interfaces' + mode: 0644 + + - name: configure DNS + become: yes + copy: src={{ item.src }} dest={{ item.dest }} mode=0644 + with_items: + - { src: 'config/dnsmasq/dnsmasq.conf', dest: '/etc/dnsmasq.conf'} + - { src: 'config/dnsmasq/hosts', dest: '/etc/hosts'} + notify: restart dnsmasq service + + - name: configure awall + become: yes + copy: src={{ item.src }} dest={{ item.dest }} mode=0644 + with_items: + - { src: 'config/awall/private', dest: '/etc/awall'} + - { src: 'config/awall/optional', dest: '/etc/awall'} + + - name: enable IPv4 forwarding + become: yes + lineinfile: + path: /etc/conf.d/iptables + state: present + regexp: "IPFORWARD=" + line: 'IPFORWARD="yes"' + create: yes + + - name: Enable awall policies + awall: + name: + - main + - ssh + - icmp + state: enabled + activate: yes + + - name: enable iptables service + become: yes + service: + name: iptables + enabled: yes + state: started + + handlers: + - name: restart SSHD service + become: yes + service: + name: sshd + enabled: yes + state: restarted + + - name: restart dnsmasq service + become: yes + service: + name: dnsmasq + enabled: yes + state: restarted diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..841d022 --- /dev/null +++ b/inventory.yml @@ -0,0 +1,6 @@ +all: + hosts: + h1-126: + ansible_user: root + ansible_host: 46.4.156.126 + ansible_python_interpreter: /usr/bin/python3.7