first draft

config/awall/optional/icmp.yaml

@@ -0,0 +1,7 @@
+---
+description: Allow ping on WAN
+filter:
+- in: WAN
+  out: _fw
+  service: ping
+  action: accept

config/awall/optional/main.yaml

@@ -0,0 +1,4 @@
+---
+description: Main firewall
+import:
+- base

config/awall/optional/ssh.yaml

@@ -0,0 +1,7 @@
+---
+description: Allow SSH on WAN
+filter:
+- in: WAN
+  out: _fw
+  service: ssh
+  action: accept

config/awall/private/base.yaml

@@ -0,0 +1,30 @@
+---
+description: Base zones and policies
+zone:
+  WAN:
+    iface: wan
+  LAN:
+    iface: lan
+
+policy:
+- in: LAN
+  action: accept
+
+- out: LAN
+  action: accept
+
+- in: _fw
+  action: accept
+
+- in: _fw
+  out: WAN
+  action: accept
+
+- in: WAN
+  action: drop
+
+snat:
+- out: WAN
+
+clamp-mss:
+- out: WAN

config/dnsmasq/dnsmasq.conf

@@ -0,0 +1,54 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Never forward plain names (without a dot or domain part)
+domain-needed
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+local=/hetzner.ffrs/
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+server=1.1.1.1
+server=1.0.0.1
+#server=2606:4700:4700::1111@ppp0
+#server=2606:4700:4700::1001@ppp0
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+interface=lan
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+domain=hetzner.ffrs
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+dhcp-range=172.16.0.100,172.16.0.200,12h
+
+# do not read /etc/resolv.conf
+no-resolv
+
+log-facility=/var/log/dnsmasq.log
+log-queries
+log-async
+
+# Include all files in a directory which end in .conf
+conf-dir=/etc/dnsmasq.d/,*.conf

config/dnsmasq/hosts

@@ -0,0 +1,7 @@
+127.0.0.1     localhost.localdomain localhost
+::1           ipv6-gateway ipv6-loopback
+fe00::0       ip6-localnet
+ff00::0       ip6-mcastprefix
+ff02::1       ip6-allnodes
+ff02::2       ip6-allrouters
+10.22.0.1     firewall firewall.jakobi.duckdns.org

config/interface-config

@@ -0,0 +1,20 @@
+# Loopback interface; nothing complex here
+auto lo
+iface lo inet loopback
+  address 127.0.0.1
+  netmask 255.0.0.0
+
+auto lan
+iface lan inet static
+  address 172.16.0.1
+  netmask 255.255.255.0
+  broadcast 172.16.0.255
+  up ip route add blackhole 10.0.0.0/8
+  up ip route add blackhole 172.16.0.0/12
+  up ip route add blackhole 192.168.0.0/16
+
+auto wan
+iface wan inet static
+  address 46.4.156.126
+  netmask 225.255.255.240
+  gateway 46.4.156.113

dhcp.yml

@@ -0,0 +1,99 @@
+- hosts: h1-126
+  tasks:
+    - name: Install software
+      become: yes
+      package:
+        name:
+          - awall
+          - dnsmasq
+          - htop
+          - vim
+        state: present
+
+    - name: enable dnsmasq service
+      become: yes
+      service:
+        name: dnsmasq
+        enabled: yes
+        state: started
+
+    - name: Configure SSHD
+      become: yes
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        state: present
+        regexp: "PermitRootLogin"
+        line: "PermitRootLogin yes"
+        create: yes
+      notify: restart SSHD service
+
+    - name: add requirements in sysctl
+      become: yes
+      blockinfile:
+        path: /etc/sysctl.conf
+        insertafter: EOF
+        block: |
+          # Enable IPv4 forwarding
+          net.ipv4.ip_forward = 1
+
+    - name: configuring interfaces
+      become: yes
+      copy:
+        src: 'config/interface-config'
+        dest: '/etc/network/interfaces'
+        mode: 0644
+
+    - name: configure DNS
+      become: yes
+      copy: src={{ item.src }} dest={{ item.dest }} mode=0644
+      with_items:
+        - { src: 'config/dnsmasq/dnsmasq.conf', dest: '/etc/dnsmasq.conf'}
+        - { src: 'config/dnsmasq/hosts', dest: '/etc/hosts'}
+      notify: restart dnsmasq service
+
+    - name: configure awall
+      become: yes
+      copy: src={{ item.src }} dest={{ item.dest }} mode=0644
+      with_items:
+        - { src: 'config/awall/private', dest: '/etc/awall'}
+        - { src: 'config/awall/optional', dest: '/etc/awall'}
+
+    - name: enable IPv4 forwarding
+      become: yes
+      lineinfile:
+        path: /etc/conf.d/iptables
+        state: present
+        regexp: "IPFORWARD="
+        line: 'IPFORWARD="yes"'
+        create: yes
+
+    - name: Enable awall policies
+      awall:
+        name:
+          - main
+          - ssh
+          - icmp
+        state: enabled
+        activate: yes
+
+    - name: enable iptables service
+      become: yes
+      service:
+        name: iptables
+        enabled: yes
+        state: started
+
+  handlers:
+    - name: restart SSHD service
+      become: yes
+      service:
+        name: sshd
+        enabled: yes
+        state: restarted
+
+    - name: restart dnsmasq service
+      become: yes
+      service:
+        name: dnsmasq
+        enabled: yes
+        state: restarted

inventory.yml

@@ -0,0 +1,6 @@
+all:
+  hosts:
+    h1-126:
+      ansible_user: root
+      ansible_host: 46.4.156.126
+      ansible_python_interpreter: /usr/bin/python3.7