- change AP firewall back to script, now using netfilter (requ raspbian 10)

- install netfilter packages on AP nodes

roles/ap/files/nft-rules-nat

@@ -0,0 +1,6 @@
+#!/bin/bash
+nft add table ip nat
+nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
+nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
+nft add rule nat postrouting oifname eth0 masquerade
+

roles/ap/tasks/main.yaml

@@ -21,6 +21,12 @@
     name: ['hostapd']
     state: present
   tags: wireless_ap
+- name: install netfilter
+  become: true
+  apt:
+          name: ['nftables']
+          state: present
+  tags: wireless_ap
 - name: configure hostapd
   become: true
   template:
@@ -72,28 +78,33 @@
           masked: no
           state: restarted
   tags: wireless_ap
-- name: lan to wlan
+- name: enable ipv4.forwarding
-  iptables:
+  become: true
-    chain: FORWARD
+  sysctl:
-    ctstate: ESTABLISHED,RELATED
+          name: net.ipv4.ip_forward
-    jump: ACCEPT
+          value: 1
-    in_interface: eth0
+          sysctl_set: yes
-    out_interface: wlan0
+          state: present
-  become: yes
+          reload: yes
-- name: wlan to lan
+  tags: wireless_ap
-  iptables:
+- name: copy fw config
-          chain: FORWARD
+  become: true
-          jump: ACCEPT
+  copy:
-          in_interface: wlan0
+          src: "{{ role_path }}/files/nft-rules-nat"
-          out_interface: eth0
+          dest: "/etc/nft-rules-nat"
-  become: yes
+          backup: yes
-- name: forwarding
+          owner: root
-  iptables:
+          group: root
-          chain: POSTROUTING
+          mode: "a+x"
-          out_interface: eth0
+  tags: wireless_ap
-          table: nat
+- name: iptables-restore to rc.local
-          jump: MASQUERADE
+  lineinfile:
-  become: yes
+          path: "/etc/rc.local"
+          state: present
+          insertbefore: "exit 0"
+          line: "/etc/nft-rules-nat"
+  become: true
+  tags: wireless_ap
 - name: restart dhcpcd
   become: true
   systemd:

roles/common/vars/os_Raspbian_11.yml

@@ -0,0 +1,27 @@
+---
+dependency_packages:
+  - expect
+  - ftp
+  - cadaver
+  - iperf
+  - iperf3
+  - libpcap0.8
+  - libsctp1
+  - libsctp-dev
+  - libncurses-dev
+  - libssl-dev
+  - libpcap-dev
+  - vim
+  - mc
+  - smbclient
+  - ncurses-dev
+  - build-essential
+  - openvpn
+  - lightdm
+  - lxde
+  - realvnc-vnc-server
+  - aptitude
+  - chromium-browser
+  - raspberrypi-ui-mods
+  - mtr
+  - screen

roles/ntopng/vars/os_Raspbian_11.yml

@@ -0,0 +1,15 @@
+---
+ntopng_dependency_packages:
+  - autoconf
+  - shtool
+  - libtool
+  - libcurl4-openssl-dev
+  - libsqlite3-dev
+  - libmariadbclient-dev
+  - libreadline-dev
+  - libxml2-dev
+  - libglib2.0-dev
+  - redis
+  - libmaxminddb-dev
+  - libjson-c-dev
+  - git

snmpd.yaml

@@ -0,0 +1,4 @@
+---
+- hosts: snmpd
+  roles:
+          - snmpd