diff options
author | Lars Wirzenius <liw@liw.fi> | 2016-09-06 16:28:59 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2016-09-06 16:28:59 +0300 |
commit | 0fead051cec0716ee18c074b971d776cce53a5dd (patch) | |
tree | f16eb2df2d0985ded7536614db0a2044791e24cc | |
parent | 8fe447d46c56fb648bf2c1f34fedae47dbbaee2f (diff) | |
download | minipc-router-0fead051cec0716ee18c074b971d776cce53a5dd.tar.gz |
Some ferm messing up (not working)
-rw-r--r-- | ansible/roles/router/files/ferm.conf | 58 | ||||
-rw-r--r-- | ansible/roles/router/tasks/main.yml | 18 |
2 files changed, 72 insertions, 4 deletions
diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf new file mode 100644 index 0000000..c1bd652 --- /dev/null +++ b/ansible/roles/router/files/ferm.conf @@ -0,0 +1,58 @@ +# Firewall configuration for a router with a dynamic IP. +# +# Based on example by Max Kellermann <max@duempel.org> +# <http://ferm.foo-projects.org/download/examples/dsl_router.ferm> + +# Interface towards the Internet. +@def $DEV_WORLD = eth0; + +# Interfaces towards LAN. +@def $DEV_PRIVATE = (eth1 eth2 eth3); + +# Address range for LAN. +@def $NET_PRIVATE = 10.0.0.0/16; + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + + # allow SSH connections from the private network and all + # Internet hosts. We do not want to restrict ssh to only a + # small number of "well known" hosts, since there's often a + # need to connect from net cafes and customer sites. + proto tcp dport ssh ACCEPT; + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # connections from the internal net to the internet or to other + # internal nets are allowed + interface $DEV_PRIVATE ACCEPT; + } +} + +table nat { + chain POSTROUTING { + # masquerade private IP addresses +# saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE; + MASQUERADE; + } +} diff --git a/ansible/roles/router/tasks/main.yml b/ansible/roles/router/tasks/main.yml index 6b76440..3c95278 100644 --- a/ansible/roles/router/tasks/main.yml +++ b/ansible/roles/router/tasks/main.yml @@ -1,8 +1,18 @@ -- name: add iptables masquerading rule +- name: install ferm + apt: name=ferm + +- name: install ferm.conf copy: - src: setup-firewall - dest: /usr/local/sbin/setup-firewall - mode: 0755 + src: ferm.conf + dest: /etc/ferm/ferm.conf + owner: root + group: root + mode: 0640 + +- name: restart ferm + service: + name: ferm + state: restarted - name: set up packet forwarding sysctl config copy: |