mikepell/dsfin-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

- change AP firewall back to script, now using netfilter (requ raspbian 10)

Browse Source 
- install netfilter packages on AP nodes
This commit is contained in:
Pi
2019-10-04 13:36:01 -04:00
parent 322b2c2de4
commit e8e6d4f4db
5 changed files with 85 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/ap/files/nft-rules-nat Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule nat postrouting oifname eth0 masquerade

55
roles/ap/tasks/main.yaml
View File

@@ -21,6 +21,12 @@
name: ['hostapd']
state: present
tags: wireless_ap
- name: install netfilter
become: true
apt:
name: ['nftables']
state: present
tags: wireless_ap
- name: configure hostapd
become: true
template:
@@ -72,28 +78,33 @@
masked: no
state: restarted
tags: wireless_ap
- name: lan to wlan
iptables:
chain: FORWARD
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
in_interface: eth0
out_interface: wlan0
become: yes
- name: wlan to lan
iptables:
chain: FORWARD
jump: ACCEPT
in_interface: wlan0
out_interface: eth0
become: yes
- name: forwarding
iptables:
chain: POSTROUTING
out_interface: eth0
table: nat
jump: MASQUERADE
become: yes
- name: enable ipv4.forwarding
become: true
sysctl:
name: net.ipv4.ip_forward
value: 1
sysctl_set: yes
state: present
reload: yes
tags: wireless_ap
- name: copy fw config
become: true
copy:
src: "{{ role_path }}/files/nft-rules-nat"
dest: "/etc/nft-rules-nat"
backup: yes
owner: root
group: root
mode: "a+x"
tags: wireless_ap
- name: iptables-restore to rc.local
lineinfile:
path: "/etc/rc.local"
state: present
insertbefore: "exit 0"
line: "/etc/nft-rules-nat"
become: true
tags: wireless_ap
- name: restart dhcpcd
become: true
systemd: