-
Notifications
You must be signed in to change notification settings - Fork 3
/
bitnode-network.yml
140 lines (119 loc) · 4 KB
/
bitnode-network.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
- name: apt install
with_items:
- systemd
apt:
name: "{{ item }}"
install_recommends: false
- name: enable systemd-networkd
systemd:
name: systemd-networkd
state: started
enabled: yes
masked: no
- name: /etc/systemd/network/10-br0.netdev
notify: systemctl restart systemd-networkd
copy:
dest: /etc/systemd/network/10-br0.netdev
content: |
[NetDev]
Name=br0
Kind=bridge
- name: /etc/systemd/network/11-br0.network
notify: systemctl restart systemd-networkd
copy:
dest: /etc/systemd/network/11-br0.network
content: |
[Match]
Name=br0
[Network]
Address={{ int_ipv4.address }}/{{ int_ipv4.netmask }}
Address={{ int_ipv6.address }}/{{ int_ipv6.netmask }}
- name: /etc/systemd/network/12-int0.netdev
notify: systemctl restart systemd-networkd
copy:
dest: /etc/systemd/network/12-int0.netdev
content: |
[NetDev]
Name=int0
Kind=dummy
- name: /etc/systemd/network/13-int0.network
notify: systemctl restart systemd-networkd
copy:
dest: /etc/systemd/network/13-int0.network
content: |
[Match]
Name=int0
[Network]
Bridge=br0
- name: sysctl net.ipv4.ip_forward
sysctl:
name: net.ipv4.ip_forward
value: 1
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/99-bitraf-network.conf
- name: install NAT
tags:
- nat
- ufw
blockinfile:
insertbefore: "# Don't delete these required lines, otherwise there will be errors"
path: /etc/ufw/before.rules
block: |
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 10.13.39.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
- name: install /etc/default/ufw
tags: ufw
copy:
dest: /etc/default/ufw
content: |
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
- name: "Allow port 5432 from 10.13.39.0/14 rule"
tags: ufw
ufw:
rule: allow
port: 5432
proto: tcp
src: 10.13.39.1/24