diff --git a/ansible.yml b/ansible.yml new file mode 100644 index 0000000..9172729 --- /dev/null +++ b/ansible.yml @@ -0,0 +1,503 @@ +######################### +# +# inetRouter +# +######################### + +- hosts: inetRouter + become: true + tasks: + + - name: update + apt: + update_cache: yes + + - name: install iptables-persistent + apt: + name: iptables-persistent + state: present + + - name: enable forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + + - name: add route all office netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.1/30' + block: |2 + routes: + - to: 192.168.0.0/16 + via: 192.168.255.2 + state: present + marker: "# {mark} ROUTE ALL OFFICE BLOCK" + notify: apply netplan + + - name: remove all rules NAT + iptables: + table: nat + flush: true + + - name: add nat rule + iptables: + table: nat + chain: POSTROUTING + out_interface: enp0s3 + destination: '! 192.168.0.0/16' + jump: MASQUERADE + state: present + + - name: accept established, related + iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: accept in loopbakc + iptables: + chain: INPUT + in_interface: lo + jump: ACCEPT + + - name: accept icmp + iptables: + chain: INPUT + protocol: icmp + jump: ACCEPT + + - name: accept ssh vagrant + iptables: + chain: INPUT + in_interface: enp0s3 + protocol: tcp + destination_port: 22 + jump: ACCEPT + + - name: port knocking from centralRouter + shell: | + iptables -A INPUT -s 192.168.255.2 -p tcp --dport 2222 -m recent --name CONNECT_1 --set -j DROP + iptables -A INPUT -s 192.168.255.2 -p tcp --dport 222 -m recent --rcheck --seconds 30 --name CONNECT_1 -m recent --set --name CONNECT_2 -j DROP + iptables -A INPUT -s 192.168.255.2 -p tcp --dport 22 -m recent --rcheck --seconds 30 --name CONNECT_2 -j ACCEPT + + - name: enable policy drop INPUT + iptables: + chain: INPUT + policy: DROP + + - name: save iptables rules + shell: + cmd: iptables-save > /etc/iptables/rules.v4 + + handlers: + - name: apply netplan + command: + cmd: netplan apply + + +######################### +# +# inetRouter2 +# +######################### + +- hosts: inetRouter2 + become: true + tasks: + + - name: update + apt: + update_cache: yes + + - name: install iptables-persistent + apt: + name: iptables-persistent + state: present + + + - name: enable forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + + - name: add route all office netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.13/30' + block: |2 + routes: + - to: 192.168.0.0/16 + via: 192.168.255.14 + state: present + marker: "# {mark} ROUTE ALL OFFICE BLOCK" + notify: apply netplan + + - name: remove all rules NAT + iptables: + table: nat + flush: true + + - name: add out all nat rule + iptables: + table: nat + chain: POSTROUTING + out_interface: enp0s3 + destination: '! 192.168.0.0/16' + jump: MASQUERADE + state: present + + - name: add DNAT http to centralServer + iptables: + table: nat + chain: PREROUTING + in_interface: enp0s3 + protocol: tcp + destination_port: 80 + jump: DNAT + to_destination: 192.168.0.2:80 + + - name: get int name to link centralRouter + shell: ip -o addr show to 192.168.255.13 | awk '{print $2}' + register: int_name_link_centralRouter + + - name: save iptables rules + shell: + cmd: iptables-save > /etc/iptables/rules.v4 + + handlers: + - name: apply netplan + command: + cmd: netplan apply + + +######################### +# +# centralRouter +# +######################### + +- hosts: centralRouter + become: true + tasks: + + - name: update + apt: + update_cache: yes + + - name: install iptables-persistent + apt: + name: iptables-persistent + state: present + + + - name: enable forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + + - name: add default gateway netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.2/30' + block: |2 + routes: + - to: default + via: 192.168.255.1 + state: present + marker: "# {mark} DEFAULT GATEWAY BLOCK" + notify: apply netplan + + - name: add rule route to inetRouter2 netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.14/30' + block: |2 + routes: + - to: 0.0.0.0/0 + via: 192.168.255.13 + table: 2 + routing-policy: + - from: 0.0.0.0/0 + mark: 2 + table: 2 + state: present + marker: "# {mark} ROUTE RULE inetRouter2" + notify: apply netplan + + + - name: add routes office 1 netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.5/30' + block: |2 + routes: + - to: 192.168.2.0/24 + via: 192.168.255.6 + state: present + marker: "# {mark} ROUTE OFFICE 1 BLOCK" + notify: apply netplan + + + - name: add routes office 2 netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.9/30' + block: |2 + routes: + - to: 192.168.1.0/24 + via: 192.168.255.10 + state: present + marker: "# {mark} ROUTE OFFICE 2 BLOCK" + notify: apply netplan + + + - name: get int name to link inetRouter2 + shell: ip -o addr show to 192.168.255.14 | awk '{print $2}' + register: int_name_link_inetRouter2 + + - name: mark in inetRouter2, and restore mark + shell: | + iptables -t mangle -I PREROUTING -i {{ int_name_link_inetRouter2.stdout }} -j CONNMARK --set-mark 2 + iptables -t mangle -I PREROUTING -s 192.168.0.2 -j CONNMARK --restore-mark + + - name: save iptables rules + shell: + cmd: iptables-save > /etc/iptables/rules.v4 + + handlers: + - name: apply netplan + command: + cmd: netplan apply + +######################### +# +# centralServer +# +######################### + +- hosts: centralServer + become: true + tasks: + + - name: update + apt: + update_cache: yes + + - name: install iptables-persistent + apt: + name: iptables-persistent + state: present + + - name: install nginx + apt: + name: nginx + state: present + + - name: add default gateway netplan and rule routes + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.0.2/28' + block: |2 + routes: + - to: default + via: 192.168.0.1 + + - to: 0.0.0.0/0 + via: 192.168.0.1 + table: 2 + + routing-policy: + - from: 0.0.0.0/0 + mark: 2 + table: 2 + state: present + marker: "# {mark} DEFAULT GATEWAY BLOCK" + notify: apply netplan + + - name: get int name to link centralRouter + shell: ip -o addr show to 192.168.0.2 | awk '{print $2}' + register: int_name_link_centralRouter + + - name: mark in centralRouter, and restore mark + shell: | + iptables -t mangle -I INPUT -i {{ int_name_link_centralRouter.stdout }} -j CONNMARK --set-mark 2 + iptables -t mangle -I OUTPUT -j CONNMARK --restore-mark + + - name: save iptables rules + shell: + cmd: iptables-save > /etc/iptables/rules.v4 + + handlers: + - name: apply netplan + command: + cmd: netplan apply + + +######################### +# +# office1Router +# +######################### + +- hosts: office1Router + become: true + tasks: + + - name: enable forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + + - name: add default gateway netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.6/30' + block: |2 + routes: + - to: default + via: 192.168.255.5 + state: present + marker: "# {mark} DEFAULT GATEWAY BLOCK" + notify: apply netplan + + handlers: + - name: apply netplan + command: + cmd: netplan apply + +######################### +# +# office1Server +# +######################### + +- hosts: office1Server + become: true + tasks: + + - name: add default gateway netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.2.2/26' + block: |2 + routes: + - to: default + via: 192.168.2.1 + state: present + marker: "# {mark} DEFAULT GATEWAY BLOCK" + notify: apply netplan + + handlers: + - name: apply netplan + command: + cmd: netplan apply + +######################### +# +# office2Router +# +######################### + +- hosts: office2Router + become: true + tasks: + + - name: enable forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + + - name: add default gateway netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.255.10/30' + block: |2 + routes: + - to: default + via: 192.168.255.9 + state: present + marker: "# {mark} DEFAULT GATEWAY BLOCK" + notify: apply netplan + + handlers: + - name: apply netplan + command: + cmd: netplan apply + + +######################### +# +# office2Server +# +######################### + +- hosts: office2Server + become: true + tasks: + + - name: add default gateway netplan + blockinfile: + path: /etc/netplan/50-vagrant.yaml + insertafter: ' - 192.168.1.2/25' + block: |2 + routes: + - to: default + via: 192.168.1.1 + state: present + marker: "# {mark} DEFAULT GATEWAY BLOCK" + notify: apply netplan + + handlers: + - name: apply netplan + command: + cmd: netplan apply + +######################### +# +# All host +# +######################### +- hosts: all + become: true + tasks: + + - name: change enp0s3 conf, disable default route + copy: + dest: /etc/netplan/50-cloud-init.yaml + content: | + network: + ethernets: + enp0s3: + dhcp4: true + dhcp4-overrides: + use-routes: false + version: 2 + force: yes + when: + - ansible_hostname != 'inetRouter' + - ansible_hostname != 'inetRouter2' + notify: apply netplan + + handlers: + - name: apply netplan + command: + cmd: netplan apply + when: + - ansible_hostname != 'inetRouter' + - ansible_hostname != 'inetRouter2' +