alex/homework30
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Добавить ansible.yml

Browse Source
This commit is contained in:
alex
2026-03-18 00:00:06 +03:00
parent 9409f87d02
commit 85746991fd
1 changed files with 503 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

503
ansible.yml Normal file
View File

@@ -0,0 +1,503 @@
#########################
#
# inetRouter
#
#########################
- hosts: inetRouter
become: true
tasks:
- name: update
apt:
update_cache: yes
- name: install iptables-persistent
apt:
name: iptables-persistent
state: present
- name: enable forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: add route all office netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.1/30'
block: |2
routes:
- to: 192.168.0.0/16
via: 192.168.255.2
state: present
marker: "# {mark} ROUTE ALL OFFICE BLOCK"
notify: apply netplan
- name: remove all rules NAT
iptables:
table: nat
flush: true
- name: add nat rule
iptables:
table: nat
chain: POSTROUTING
out_interface: enp0s3
destination: '! 192.168.0.0/16'
jump: MASQUERADE
state: present
- name: accept established, related
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: accept in loopbakc
iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: accept icmp
iptables:
chain: INPUT
protocol: icmp
jump: ACCEPT
- name: accept ssh vagrant
iptables:
chain: INPUT
in_interface: enp0s3
protocol: tcp
destination_port: 22
jump: ACCEPT
- name: port knocking from centralRouter
shell: |
iptables -A INPUT -s 192.168.255.2 -p tcp --dport 2222 -m recent --name CONNECT_1 --set -j DROP
iptables -A INPUT -s 192.168.255.2 -p tcp --dport 222 -m recent --rcheck --seconds 30 --name CONNECT_1 -m recent --set --name CONNECT_2 -j DROP
iptables -A INPUT -s 192.168.255.2 -p tcp --dport 22 -m recent --rcheck --seconds 30 --name CONNECT_2 -j ACCEPT
- name: enable policy drop INPUT
iptables:
chain: INPUT
policy: DROP
- name: save iptables rules
shell:
cmd: iptables-save > /etc/iptables/rules.v4
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# inetRouter2
#
#########################
- hosts: inetRouter2
become: true
tasks:
- name: update
apt:
update_cache: yes
- name: install iptables-persistent
apt:
name: iptables-persistent
state: present
- name: enable forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: add route all office netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.13/30'
block: |2
routes:
- to: 192.168.0.0/16
via: 192.168.255.14
state: present
marker: "# {mark} ROUTE ALL OFFICE BLOCK"
notify: apply netplan
- name: remove all rules NAT
iptables:
table: nat
flush: true
- name: add out all nat rule
iptables:
table: nat
chain: POSTROUTING
out_interface: enp0s3
destination: '! 192.168.0.0/16'
jump: MASQUERADE
state: present
- name: add DNAT http to centralServer
iptables:
table: nat
chain: PREROUTING
in_interface: enp0s3
protocol: tcp
destination_port: 80
jump: DNAT
to_destination: 192.168.0.2:80
- name: get int name to link centralRouter
shell: ip -o addr show to 192.168.255.13 | awk '{print $2}'
register: int_name_link_centralRouter
- name: save iptables rules
shell:
cmd: iptables-save > /etc/iptables/rules.v4
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# centralRouter
#
#########################
- hosts: centralRouter
become: true
tasks:
- name: update
apt:
update_cache: yes
- name: install iptables-persistent
apt:
name: iptables-persistent
state: present
- name: enable forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: add default gateway netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.2/30'
block: |2
routes:
- to: default
via: 192.168.255.1
state: present
marker: "# {mark} DEFAULT GATEWAY BLOCK"
notify: apply netplan
- name: add rule route to inetRouter2 netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.14/30'
block: |2
routes:
- to: 0.0.0.0/0
via: 192.168.255.13
table: 2
routing-policy:
- from: 0.0.0.0/0
mark: 2
table: 2
state: present
marker: "# {mark} ROUTE RULE inetRouter2"
notify: apply netplan
- name: add routes office 1 netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.5/30'
block: |2
routes:
- to: 192.168.2.0/24
via: 192.168.255.6
state: present
marker: "# {mark} ROUTE OFFICE 1 BLOCK"
notify: apply netplan
- name: add routes office 2 netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.9/30'
block: |2
routes:
- to: 192.168.1.0/24
via: 192.168.255.10
state: present
marker: "# {mark} ROUTE OFFICE 2 BLOCK"
notify: apply netplan
- name: get int name to link inetRouter2
shell: ip -o addr show to 192.168.255.14 | awk '{print $2}'
register: int_name_link_inetRouter2
- name: mark in inetRouter2, and restore mark
shell: |
iptables -t mangle -I PREROUTING -i {{ int_name_link_inetRouter2.stdout }} -j CONNMARK --set-mark 2
iptables -t mangle -I PREROUTING -s 192.168.0.2 -j CONNMARK --restore-mark
- name: save iptables rules
shell:
cmd: iptables-save > /etc/iptables/rules.v4
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# centralServer
#
#########################
- hosts: centralServer
become: true
tasks:
- name: update
apt:
update_cache: yes
- name: install iptables-persistent
apt:
name: iptables-persistent
state: present
- name: install nginx
apt:
name: nginx
state: present
- name: add default gateway netplan and rule routes
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.0.2/28'
block: |2
routes:
- to: default
via: 192.168.0.1
- to: 0.0.0.0/0
via: 192.168.0.1
table: 2
routing-policy:
- from: 0.0.0.0/0
mark: 2
table: 2
state: present
marker: "# {mark} DEFAULT GATEWAY BLOCK"
notify: apply netplan
- name: get int name to link centralRouter
shell: ip -o addr show to 192.168.0.2 | awk '{print $2}'
register: int_name_link_centralRouter
- name: mark in centralRouter, and restore mark
shell: |
iptables -t mangle -I INPUT -i {{ int_name_link_centralRouter.stdout }} -j CONNMARK --set-mark 2
iptables -t mangle -I OUTPUT -j CONNMARK --restore-mark
- name: save iptables rules
shell:
cmd: iptables-save > /etc/iptables/rules.v4
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# office1Router
#
#########################
- hosts: office1Router
become: true
tasks:
- name: enable forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: add default gateway netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.6/30'
block: |2
routes:
- to: default
via: 192.168.255.5
state: present
marker: "# {mark} DEFAULT GATEWAY BLOCK"
notify: apply netplan
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# office1Server
#
#########################
- hosts: office1Server
become: true
tasks:
- name: add default gateway netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.2.2/26'
block: |2
routes:
- to: default
via: 192.168.2.1
state: present
marker: "# {mark} DEFAULT GATEWAY BLOCK"
notify: apply netplan
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# office2Router
#
#########################
- hosts: office2Router
become: true
tasks:
- name: enable forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: add default gateway netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.255.10/30'
block: |2
routes:
- to: default
via: 192.168.255.9
state: present
marker: "# {mark} DEFAULT GATEWAY BLOCK"
notify: apply netplan
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# office2Server
#
#########################
- hosts: office2Server
become: true
tasks:
- name: add default gateway netplan
blockinfile:
path: /etc/netplan/50-vagrant.yaml
insertafter: ' - 192.168.1.2/25'
block: |2
routes:
- to: default
via: 192.168.1.1
state: present
marker: "# {mark} DEFAULT GATEWAY BLOCK"
notify: apply netplan
handlers:
- name: apply netplan
command:
cmd: netplan apply
#########################
#
# All host
#
#########################
- hosts: all
become: true
tasks:
- name: change enp0s3 conf, disable default route
copy:
dest: /etc/netplan/50-cloud-init.yaml
content: |
network:
ethernets:
enp0s3:
dhcp4: true
dhcp4-overrides:
use-routes: false
version: 2
force: yes
when:
- ansible_hostname != 'inetRouter'
- ansible_hostname != 'inetRouter2'
notify: apply netplan
handlers:
- name: apply netplan
command:
cmd: netplan apply
when:
- ansible_hostname != 'inetRouter'
- ansible_hostname != 'inetRouter2'