ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add firewall support for WireGuard (gateways).

Browse Source
This commit is contained in:
Christoph 2021-11-24 00:43:13 +01:00
parent 5118cff699
commit 96c8a5a4a3
2 changed files with 451 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
roles/modify-ipt-gateway-ro/tasks/main.yml
View File

@ -33,6 +33,21 @@
path: /ro/etc/ipt-firewall/main_ipv6.conf
register: main_ipv6_exists
- name: Check if file '/ro/etc/ipt-firewall/interfaces_ipv4.conf' exists
stat:
path: /ro/etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
- name: Check if file '/ro/etc/ipt-firewall/interfaces_ipv6.conf' exists
stat:
path: /ro/etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
# ---
# Adjust some lines
# ---
- name: addjust line 'jitsi_tcp_ports' (IPv4)
lineinfile:
path: /ro/etc/ipt-firewall/main_ipv4.conf
@ -239,6 +254,190 @@
- alfaview_video_conference_out_ipv6_present is changed
# ---
# WireGuard Service
# ---
- name: Check if String 'local_wg_service..' (IPv4) is present
shell: grep -q -E "^local_wg_service=" /ro/etc/ipt-firewall/main_ipv4.conf
register: local_wg_service_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "local_wg_service_ipv4_present.rc > 1"
changed_when: "local_wg_service_ipv4_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (local_wg_service)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*vpn_local_net_ports'
block: |
# ======
# - WireGuard Service
# ======
# - WireGuard Service on Gateway?
# -
local_wg_service=true
wg_gw_ports="$standard_wg_port"
# - WireGuard Services DMZ (reachable also from WAN)
# -
# - wg_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A wg_server_dmz_arr
# - Local WireGuard Ports
# -
# - Blank separated list
# -
wg_local_net_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)"
when:
- main_ipv4_exists.stat.exists
- local_wg_service_ipv4_present is changed
- name: Check if String 'local_wg_service..' (IPv6) is present
shell: grep -q -E "^local_wg_service=" /ro/etc/ipt-firewall/main_ipv6.conf
register: local_wg_service_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "local_wg_service_ipv6_present.rc > 1"
changed_when: "local_wg_service_ipv6_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (local_wg_service)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*vpn_local_net_ports'
block: |
# ======
# - WireGuard Service
# ======
# - WireGuard Service on Gateway?
# -
local_wg_service=true
wg_gw_ports="$standard_wg_port"
# - WireGuard Services DMZ (reachable also from WAN)
# -
# - wg_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2
# - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A wg_server_dmz_arr
# - Local WireGuard Ports
# -
# - Blank separated list
# -
wg_local_net_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)"
when:
- main_ipv6_exists.stat.exists
- local_wg_service_ipv6_present is changed
- name: Check if String 'allow_wg_out..' (IPv4) is present
shell: grep -q -E "^allow_wg_out=" /ro/etc/ipt-firewall/main_ipv4.conf
register: allow_wg_out_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "allow_wg_out_ipv4_present.rc > 1"
changed_when: "allow_wg_out_ipv4_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_wg_out)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*vpn_out_ports'
block: |
# WireGuard
#
allow_wg_out=true
wg_out_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)"
when:
- main_ipv4_exists.stat.exists
- allow_wg_out_ipv4_present is changed
- name: Check if String 'allow_wg_out..' (IPv6) is present
shell: grep -q -E "^allow_wg_out=" /ro/etc/ipt-firewall/main_ipv6.conf
register: allow_wg_out_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "allow_wg_out_ipv6_present.rc > 1"
changed_when: "allow_wg_out_ipv6_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_wg_out)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*vpn_out_ports'
block: |
# WireGuard
#
allow_wg_out=true
wg_out_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)"
when:
- main_ipv6_exists.stat.exists
- allow_wg_out_ipv6_present is changed
- name: Check if String 'wg_ifs..' (IPv4) is present
shell: grep -q -E "^wg_ifs=" /ro/etc/ipt-firewall/interfaces_ipv4.conf
register: wg_ifs_ipv4_present
when: interfaces_ipv4_exists.stat.exists
failed_when: "wg_ifs_ipv4_present.rc > 1"
changed_when: "wg_ifs_ipv4_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs)
blockinfile:
path: /ro/etc/ipt-firewall/interfaces_ipv4.conf
insertafter: '^#?\s*vpn_ifs'
block: |
# - WireGuard Interfaces
# -
# - (blank separated list)
# -
wg_ifs="wg+"
marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)"
when:
- interfaces_ipv4_exists.stat.exists
- wg_ifs_ipv4_present is changed
- name: Check if String 'wg_ifs..' (IPv6) is present
shell: grep -q -E "^wg_ifs=" /ro/etc/ipt-firewall/interfaces_ipv6.conf
register: wg_ifs_ipv6_present
when: interfaces_ipv6_exists.stat.exists
failed_when: "wg_ifs_ipv6_present.rc > 1"
changed_when: "wg_ifs_ipv6_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs)
blockinfile:
path: /ro/etc/ipt-firewall/interfaces_ipv6.conf
insertafter: '^#?\s*vpn_ifs'
block: |
# - WireGuard Interfaces
# -
# - (blank separated list)
# -
wg_ifs="wg+"
marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)"
when:
- interfaces_ipv6_exists.stat.exists
- wg_ifs_ipv6_present is changed
# ---
# Allow local services from ALL extern netwoks
@ -851,7 +1050,7 @@
# Remove Marker set by blockinfile
# ---
- name: Remove marker IPv4
- name: Remove marker IPv4 (main_ipv4.conf)
replace :
path: /ro/etc/ipt-firewall/main_ipv4.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
@ -862,7 +1061,7 @@
when:
- main_ipv4_exists.stat.exists
- name: Remove marker IPv6
- name: Remove marker IPv6 (main_ipv6.conf)
replace :
path: /ro/etc/ipt-firewall/main_ipv6.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
@ -873,6 +1072,28 @@
when:
- main_ipv6_exists.stat.exists
- name: Remove marker IPv4 (interfaces_ipv4.conf)
replace :
path: /ro/etc/ipt-firewall/interfaces_ipv4.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
replace: ""
register: marker_ipv4_removed
#failed_when: "marker_ipv4_removed.rc > 1"
#changed_when: "marker_ipv4_removed.rc < 1"
when:
- interfaces_ipv4_exists.stat.exists
- name: Remove marker IPv6 (interfaces_ipv6.conf)
replace :
path: /ro/etc/ipt-firewall/interfaces_ipv6.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
replace: ""
register: marker_ipv6_removed
#failed_when: "marker_ipv6_removed.rc > 1"
#changed_when: "marker_ipv6_removed.rc < 1"
when:
- interfaces_ipv6_exists.stat.exists
# ---
# Confiuration Files
# ---

230
roles/modify-ipt-gateway/tasks/main.yml
View File

@ -29,6 +29,25 @@
notify:
- Restart IPv6 Firewall
- name: Check if file '/etc/ipt-firewall/interfaces_ipv4.conf' exists
stat:
path: /etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
notify:
- Restart IPv4 Firewall
- name: Check if file '/etc/ipt-firewall/interfaces_ipv6.conf' exists
stat:
path: /etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
notify:
- Restart IPv6 Firewall
# ---
# Adjust some lines
# ---
- name: addjust line 'jitsi_tcp_ports' (IPv4)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
@ -294,6 +313,191 @@
- alfaview_video_conference_out_ipv6_present is changed
# ---
# WireGuard Service
# ---
- name: Check if String 'local_wg_service..' (IPv4) is present
shell: grep -q -E "^local_wg_service=" /etc/ipt-firewall/main_ipv4.conf
register: local_wg_service_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "local_wg_service_ipv4_present.rc > 1"
changed_when: "local_wg_service_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_wg_service)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*vpn_local_net_ports'
block: |
# ======
# - WireGuard Service
# ======
# - WireGuard Service on Gateway?
# -
local_wg_service=true
wg_gw_ports="$standard_wg_port"
# - WireGuard Services DMZ (reachable also from WAN)
# -
# - wg_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A wg_server_dmz_arr
# - Local WireGuard Ports
# -
# - Blank separated list
# -
wg_local_net_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)"
when:
- main_ipv4_exists.stat.exists
- local_wg_service_ipv4_present is changed
- name: Check if String 'local_wg_service..' (IPv6) is present
shell: grep -q -E "^local_wg_service=" /etc/ipt-firewall/main_ipv6.conf
register: local_wg_service_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "local_wg_service_ipv6_present.rc > 1"
changed_when: "local_wg_service_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_wg_service)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*vpn_local_net_ports'
block: |
# ======
# - WireGuard Service
# ======
# - WireGuard Service on Gateway?
# -
local_wg_service=true
wg_gw_ports="$standard_wg_port"
# - WireGuard Services DMZ (reachable also from WAN)
# -
# - wg_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2
# - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A wg_server_dmz_arr
# - Local WireGuard Ports
# -
# - Blank separated list
# -
wg_local_net_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)"
when:
- main_ipv6_exists.stat.exists
- local_wg_service_ipv6_present is changed
- name: Check if String 'allow_wg_out..' (IPv4) is present
shell: grep -q -E "^allow_wg_out=" /etc/ipt-firewall/main_ipv4.conf
register: allow_wg_out_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "allow_wg_out_ipv4_present.rc > 1"
changed_when: "allow_wg_out_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_wg_out)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*vpn_out_ports'
block: |
# WireGuard
#
allow_wg_out=true
wg_out_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)"
when:
- main_ipv4_exists.stat.exists
- allow_wg_out_ipv4_present is changed
- name: Check if String 'allow_wg_out..' (IPv6) is present
shell: grep -q -E "^allow_wg_out=" /etc/ipt-firewall/main_ipv6.conf
register: allow_wg_out_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "allow_wg_out_ipv6_present.rc > 1"
changed_when: "allow_wg_out_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_wg_out)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*vpn_out_ports'
block: |
# WireGuard
#
allow_wg_out=true
wg_out_ports="$standard_wg_port"
marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)"
when:
- main_ipv6_exists.stat.exists
- allow_wg_out_ipv6_present is changed
- name: Check if String 'wg_ifs..' (IPv4) is present
shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf
register: wg_ifs_ipv4_present
when: interfaces_ipv4_exists.stat.exists
failed_when: "wg_ifs_ipv4_present.rc > 1"
changed_when: "wg_ifs_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs)
blockinfile:
path: /etc/ipt-firewall/interfaces_ipv4.conf
insertafter: '^#?\s*vpn_ifs'
block: |
# - WireGuard Interfaces
# -
# - (blank separated list)
# -
wg_ifs="wg+"
marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)"
when:
- interfaces_ipv4_exists.stat.exists
- wg_ifs_ipv4_present is changed
- name: Check if String 'wg_ifs..' (IPv6) is present
shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf
register: wg_ifs_ipv6_present
when: interfaces_ipv6_exists.stat.exists
failed_when: "wg_ifs_ipv6_present.rc > 1"
changed_when: "wg_ifs_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs)
blockinfile:
path: /etc/ipt-firewall/interfaces_ipv6.conf
insertafter: '^#?\s*vpn_ifs'
block: |
# - WireGuard Interfaces
# -
# - (blank separated list)
# -
wg_ifs="wg+"
marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)"
when:
- interfaces_ipv6_exists.stat.exists
- wg_ifs_ipv6_present is changed
# ---
# Allow local services from ALL extern netwoks
# ---
@ -982,7 +1186,7 @@
# Remove Marker set by blockinfile
# ---
- name: Remove marker IPv4
- name: Remove marker IPv4 (main_ipv4.conf)
replace :
path: /etc/ipt-firewall/main_ipv4.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
@ -993,7 +1197,7 @@
when:
- main_ipv4_exists.stat.exists
- name: Remove marker IPv6
- name: Remove marker IPv6 (main_ipv6.conf)
replace :
path: /etc/ipt-firewall/main_ipv6.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
@ -1004,6 +1208,28 @@
when:
- main_ipv6_exists.stat.exists
- name: Remove marker IPv4 (interfaces_ipv4.conf)
replace :
path: /etc/ipt-firewall/interfaces_ipv4.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
replace: ""
register: marker_ipv4_removed
#failed_when: "marker_ipv4_removed.rc > 1"
#changed_when: "marker_ipv4_removed.rc < 1"
when:
- interfaces_ipv4_exists.stat.exists
- name: Remove marker IPv6 (interfaces_ipv6.conf)
replace :
path: /etc/ipt-firewall/interfaces_ipv6.conf
regexp: "^# Marker set by modify-ipt-gateway.yml.*$"
replace: ""
register: marker_ipv6_removed
#failed_when: "marker_ipv6_removed.rc > 1"
#changed_when: "marker_ipv6_removed.rc < 1"
when:
- interfaces_ipv6_exists.stat.exists
# ---
# Confiuration Files
# ---