######################### # # inetRouter # ######################### - hosts: inetRouter become: true tasks: - name: update apt: update_cache: yes - name: install iptables-persistent apt: name: iptables-persistent state: present - name: enable forwarding sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes state: present reload: yes - name: add route all office netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.1/30' block: |2 routes: - to: 192.168.0.0/16 via: 192.168.255.2 state: present marker: "# {mark} ROUTE ALL OFFICE BLOCK" notify: apply netplan - name: remove all rules NAT iptables: table: nat flush: true - name: add nat rule iptables: table: nat chain: POSTROUTING out_interface: enp0s3 destination: '! 192.168.0.0/16' jump: MASQUERADE state: present - name: accept established, related iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT - name: accept in loopbakc iptables: chain: INPUT in_interface: lo jump: ACCEPT - name: accept icmp iptables: chain: INPUT protocol: icmp jump: ACCEPT - name: accept ssh vagrant iptables: chain: INPUT in_interface: enp0s3 protocol: tcp destination_port: 22 jump: ACCEPT - name: port knocking from centralRouter shell: | iptables -A INPUT -s 192.168.255.2 -p tcp --dport 2222 -m recent --name CONNECT_1 --set -j DROP iptables -A INPUT -s 192.168.255.2 -p tcp --dport 222 -m recent --rcheck --seconds 30 --name CONNECT_1 -m recent --set --name CONNECT_2 -j DROP iptables -A INPUT -s 192.168.255.2 -p tcp --dport 22 -m recent --rcheck --seconds 30 --name CONNECT_2 -j ACCEPT - name: enable policy drop INPUT iptables: chain: INPUT policy: DROP - name: save iptables rules shell: cmd: iptables-save > /etc/iptables/rules.v4 handlers: - name: apply netplan command: cmd: netplan apply ######################### # # inetRouter2 # ######################### - hosts: inetRouter2 become: true tasks: - name: update apt: update_cache: yes - name: install iptables-persistent apt: name: iptables-persistent state: present - name: enable forwarding sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes state: present reload: yes - name: add route all office netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.13/30' block: |2 routes: - to: 192.168.0.0/16 via: 192.168.255.14 state: present marker: "# {mark} ROUTE ALL OFFICE BLOCK" notify: apply netplan - name: remove all rules NAT iptables: table: nat flush: true - name: add out all nat rule iptables: table: nat chain: POSTROUTING out_interface: enp0s3 destination: '! 192.168.0.0/16' jump: MASQUERADE state: present - name: add DNAT http to centralServer iptables: table: nat chain: PREROUTING in_interface: enp0s3 protocol: tcp destination_port: 80 jump: DNAT to_destination: 192.168.0.2:80 - name: get int name to link centralRouter shell: ip -o addr show to 192.168.255.13 | awk '{print $2}' register: int_name_link_centralRouter - name: save iptables rules shell: cmd: iptables-save > /etc/iptables/rules.v4 handlers: - name: apply netplan command: cmd: netplan apply ######################### # # centralRouter # ######################### - hosts: centralRouter become: true tasks: - name: update apt: update_cache: yes - name: install iptables-persistent apt: name: iptables-persistent state: present - name: enable forwarding sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes state: present reload: yes - name: add default gateway netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.2/30' block: |2 routes: - to: default via: 192.168.255.1 state: present marker: "# {mark} DEFAULT GATEWAY BLOCK" notify: apply netplan - name: add rule route to inetRouter2 netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.14/30' block: |2 routes: - to: 0.0.0.0/0 via: 192.168.255.13 table: 2 routing-policy: - from: 0.0.0.0/0 mark: 2 table: 2 state: present marker: "# {mark} ROUTE RULE inetRouter2" notify: apply netplan - name: add routes office 1 netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.5/30' block: |2 routes: - to: 192.168.2.0/24 via: 192.168.255.6 state: present marker: "# {mark} ROUTE OFFICE 1 BLOCK" notify: apply netplan - name: add routes office 2 netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.9/30' block: |2 routes: - to: 192.168.1.0/24 via: 192.168.255.10 state: present marker: "# {mark} ROUTE OFFICE 2 BLOCK" notify: apply netplan - name: get int name to link inetRouter2 shell: ip -o addr show to 192.168.255.14 | awk '{print $2}' register: int_name_link_inetRouter2 - name: mark in inetRouter2, and restore mark shell: | iptables -t mangle -I PREROUTING -i {{ int_name_link_inetRouter2.stdout }} -j CONNMARK --set-mark 2 iptables -t mangle -I PREROUTING -s 192.168.0.2 -j CONNMARK --restore-mark - name: save iptables rules shell: cmd: iptables-save > /etc/iptables/rules.v4 handlers: - name: apply netplan command: cmd: netplan apply ######################### # # centralServer # ######################### - hosts: centralServer become: true tasks: - name: update apt: update_cache: yes - name: install iptables-persistent apt: name: iptables-persistent state: present - name: install nginx apt: name: nginx state: present - name: add default gateway netplan and rule routes blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.0.2/28' block: |2 routes: - to: default via: 192.168.0.1 - to: 0.0.0.0/0 via: 192.168.0.1 table: 2 routing-policy: - from: 0.0.0.0/0 mark: 2 table: 2 state: present marker: "# {mark} DEFAULT GATEWAY BLOCK" notify: apply netplan - name: get int name to link centralRouter shell: ip -o addr show to 192.168.0.2 | awk '{print $2}' register: int_name_link_centralRouter - name: mark in centralRouter, and restore mark shell: | iptables -t mangle -I INPUT -i {{ int_name_link_centralRouter.stdout }} -j CONNMARK --set-mark 2 iptables -t mangle -I OUTPUT -j CONNMARK --restore-mark - name: save iptables rules shell: cmd: iptables-save > /etc/iptables/rules.v4 handlers: - name: apply netplan command: cmd: netplan apply ######################### # # office1Router # ######################### - hosts: office1Router become: true tasks: - name: enable forwarding sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes state: present reload: yes - name: add default gateway netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.6/30' block: |2 routes: - to: default via: 192.168.255.5 state: present marker: "# {mark} DEFAULT GATEWAY BLOCK" notify: apply netplan handlers: - name: apply netplan command: cmd: netplan apply ######################### # # office1Server # ######################### - hosts: office1Server become: true tasks: - name: add default gateway netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.2.2/26' block: |2 routes: - to: default via: 192.168.2.1 state: present marker: "# {mark} DEFAULT GATEWAY BLOCK" notify: apply netplan handlers: - name: apply netplan command: cmd: netplan apply ######################### # # office2Router # ######################### - hosts: office2Router become: true tasks: - name: enable forwarding sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes state: present reload: yes - name: add default gateway netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.255.10/30' block: |2 routes: - to: default via: 192.168.255.9 state: present marker: "# {mark} DEFAULT GATEWAY BLOCK" notify: apply netplan handlers: - name: apply netplan command: cmd: netplan apply ######################### # # office2Server # ######################### - hosts: office2Server become: true tasks: - name: add default gateway netplan blockinfile: path: /etc/netplan/50-vagrant.yaml insertafter: ' - 192.168.1.2/25' block: |2 routes: - to: default via: 192.168.1.1 state: present marker: "# {mark} DEFAULT GATEWAY BLOCK" notify: apply netplan handlers: - name: apply netplan command: cmd: netplan apply ######################### # # All host # ######################### - hosts: all become: true tasks: - name: change enp0s3 conf, disable default route copy: dest: /etc/netplan/50-cloud-init.yaml content: | network: ethernets: enp0s3: dhcp4: true dhcp4-overrides: use-routes: false version: 2 force: yes when: - ansible_hostname != 'inetRouter' - ansible_hostname != 'inetRouter2' notify: apply netplan handlers: - name: apply netplan command: cmd: netplan apply when: - ansible_hostname != 'inetRouter' - ansible_hostname != 'inetRouter2'