From e8e6d4f4dbab5124c753fdf3b0004dddf45af64b Mon Sep 17 00:00:00 2001
From: Pi <pi@dsfinancial.comcast.net>
Date: Fri, 4 Oct 2019 13:36:01 -0400
Subject: [PATCH] - change AP firewall back to script, now using netfilter
 (requ raspbian 10) - install netfilter packages on AP nodes

---
 roles/ap/files/nft-rules-nat         |  6 +++
 roles/ap/tasks/main.yaml             | 55 +++++++++++++++++-----------
 roles/common/vars/os_Raspbian_11.yml | 27 ++++++++++++++
 roles/ntopng/vars/os_Raspbian_11.yml | 15 ++++++++
 snmpd.yaml                           |  4 ++
 5 files changed, 85 insertions(+), 22 deletions(-)
 create mode 100644 roles/ap/files/nft-rules-nat
 create mode 100644 roles/common/vars/os_Raspbian_11.yml
 create mode 100644 roles/ntopng/vars/os_Raspbian_11.yml
 create mode 100644 snmpd.yaml

diff --git a/roles/ap/files/nft-rules-nat b/roles/ap/files/nft-rules-nat
new file mode 100644
index 0000000..06dd243
--- /dev/null
+++ b/roles/ap/files/nft-rules-nat
@@ -0,0 +1,6 @@
+#!/bin/bash
+nft add table ip nat
+nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
+nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
+nft add rule nat postrouting oifname eth0 masquerade
+
diff --git a/roles/ap/tasks/main.yaml b/roles/ap/tasks/main.yaml
index 401d9b6..e5e8102 100644
--- a/roles/ap/tasks/main.yaml
+++ b/roles/ap/tasks/main.yaml
@@ -21,6 +21,12 @@
     name: ['hostapd']
     state: present
   tags: wireless_ap
+- name: install netfilter
+  become: true
+  apt:
+          name: ['nftables']
+          state: present
+  tags: wireless_ap
 - name: configure hostapd
   become: true
   template:
@@ -72,28 +78,33 @@
           masked: no
           state: restarted
   tags: wireless_ap
-- name: lan to wlan
-  iptables:
-    chain: FORWARD
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-    in_interface: eth0
-    out_interface: wlan0
-  become: yes
-- name: wlan to lan
-  iptables:
-          chain: FORWARD
-          jump: ACCEPT
-          in_interface: wlan0
-          out_interface: eth0
-  become: yes
-- name: forwarding
-  iptables:
-          chain: POSTROUTING
-          out_interface: eth0
-          table: nat
-          jump: MASQUERADE
-  become: yes
+- name: enable ipv4.forwarding
+  become: true
+  sysctl:
+          name: net.ipv4.ip_forward
+          value: 1
+          sysctl_set: yes
+          state: present
+          reload: yes
+  tags: wireless_ap
+- name: copy fw config
+  become: true
+  copy:
+          src: "{{ role_path }}/files/nft-rules-nat"
+          dest: "/etc/nft-rules-nat"
+          backup: yes
+          owner: root
+          group: root
+          mode: "a+x"
+  tags: wireless_ap
+- name: iptables-restore to rc.local
+  lineinfile:
+          path: "/etc/rc.local"
+          state: present
+          insertbefore: "exit 0"
+          line: "/etc/nft-rules-nat"
+  become: true
+  tags: wireless_ap
 - name: restart dhcpcd
   become: true
   systemd:
diff --git a/roles/common/vars/os_Raspbian_11.yml b/roles/common/vars/os_Raspbian_11.yml
new file mode 100644
index 0000000..7be703a
--- /dev/null
+++ b/roles/common/vars/os_Raspbian_11.yml
@@ -0,0 +1,27 @@
+---
+dependency_packages:
+  - expect
+  - ftp
+  - cadaver
+  - iperf
+  - iperf3
+  - libpcap0.8
+  - libsctp1
+  - libsctp-dev
+  - libncurses-dev
+  - libssl-dev
+  - libpcap-dev
+  - vim
+  - mc
+  - smbclient
+  - ncurses-dev
+  - build-essential
+  - openvpn
+  - lightdm
+  - lxde
+  - realvnc-vnc-server
+  - aptitude
+  - chromium-browser
+  - raspberrypi-ui-mods
+  - mtr
+  - screen
diff --git a/roles/ntopng/vars/os_Raspbian_11.yml b/roles/ntopng/vars/os_Raspbian_11.yml
new file mode 100644
index 0000000..16e908b
--- /dev/null
+++ b/roles/ntopng/vars/os_Raspbian_11.yml
@@ -0,0 +1,15 @@
+---
+ntopng_dependency_packages:
+  - autoconf
+  - shtool
+  - libtool
+  - libcurl4-openssl-dev
+  - libsqlite3-dev
+  - libmariadbclient-dev
+  - libreadline-dev
+  - libxml2-dev
+  - libglib2.0-dev
+  - redis
+  - libmaxminddb-dev
+  - libjson-c-dev
+  - git
diff --git a/snmpd.yaml b/snmpd.yaml
new file mode 100644
index 0000000..1f1760c
--- /dev/null
+++ b/snmpd.yaml
@@ -0,0 +1,4 @@
+---
+- hosts: snmpd
+  roles:
+          - snmpd