Permalink
Browse files

ffnw: add gre tunnel, add packet marking, add SNAT

  • Loading branch information...
1977er committed Jan 6, 2019
1 parent 452ac83 commit 56e0228f990e8c2c5550fd696db11e3fa2ddf145
@@ -0,0 +1,8 @@
---

- name: Generate firewall config stanza (ferm)
register: ferm_changed
template:
src: ferm.conf.j2
dest: /etc/ferm/conf.d/50-ffnw.conf
notify: reload ferm
@@ -0,0 +1,27 @@
---

- name: Create network interface for each gre endpoint
notify: Restart networkd
template:
src: gre-network.j2
dest: /etc/systemd/network/15-gre-ffnw-{{ item.key }}.network
with_dict: "{{ ffnw }}"

- name: Create gre tunnel in networkd
notify: Restart networkd
template:
src: gre-netdev.j2
dest: /etc/systemd/network/30-gre-ffnw-{{ item.key }}.netdev
with_dict: "{{ ffnw }}"

- name: Create /etc/systemd/network/10-eth0.network.d directory
notify: Restart networkd
file:
name: /etc/systemd/network/10-eth0.network.d
state: directory

- name: Drop tunnel config into /etc/systemd/network/10-eth0.network.d directory
notify: Restart networkd
template:
src: gre-ffnw.conf.j2
dest: /etc/systemd/network/10-eth0.network.d/gre-ffnw.conf
@@ -0,0 +1,7 @@
---

- name: GRE stuff
include_tasks: gre.yml

- name: Firewall stuff
include_tasks: ferm.yml
@@ -0,0 +1,22 @@
domain (ip) {
table mangle {
chain PREROUTING {
{% for name,node in supernodes.items() %}
interface gre-{{ name }} MARK set-xmark 0x17/0xffffffff;
{% endfor %}
}
}
table nat {
chain POSTROUTING {
saddr 10.0.0.0/8 outerface gre-ffnw-ber SNAT to 185.197.132.136;
}
}
table filter {
chain INPUT {
{% for name,node in ffnw.items() %}
saddr {{ node.remote }}/32 proto gre ACCEPT; # ffnw-{{ name }}
interface gre-ffnw-{{ name }} proto tcp dport 179 ACCEPT;
{% endfor %}
}
}
}
@@ -0,0 +1,4 @@
[Network]
{% for host in ffnw %}
Tunnel=gre-ffnw-{{ host }}
{% endfor %}
@@ -0,0 +1,8 @@
[NetDev]
Name=gre-ffnw-{{ item.key }}
Kind=gre

[Tunnel]
Local={{ item.value.local }}
Remote={{ item.value.remote }}
TTL=64
@@ -0,0 +1,10 @@
[Match]
Name=gre-ffnw-{{ item.key }}

[Network]
Address={{ item.value.address4 }}
Address={{ item.value.address6 }}

[Link]
MTUBytes={{ item.value.mtu }}
Multicast=true

0 comments on commit 56e0228

Please sign in to comment.