fixed some issues and added support for snat

whotwagner · Jan 29, 2021 · ec6e207 · ec6e207
1 parent 3a5d6ff
commit ec6e207
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -32,12 +32,12 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git
       zones:
         - { name: inet, 
             type: ipv4,
-            interface: { name: $INETIF, broadcast: detect, options: "blacklist,routeback,nosmurfs" }
+            interface: { name: $INETIF, broadcast: detect, options: "routeback,nosmurfs" }
           }
         - { 
             name: lan, 
             type: ipv4,
-            interface: { name: $LANIF, broadcast: detect, options: "blacklist,routeback,bridge,nosmurfs" }
+            interface: { name: $LANIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
           }
       policy:
         - { source: fw,    dest: all,   policy: ACCEPT }
@@ -54,8 +54,8 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git
         - { action: ACCEPT,      source: inet, dest: fw, proto: tcp, dest_port: "443,8006" }
         - PING Rules
         - { action: Ping/ACCEPT, source: all, dest: all }
-      masq:
-        - { interface: $INETIF, source: 192.168.213.0/24 }
+      snat:
+        - { dest: $INETIF, source: 192.168.213.0/24 }
       params:
         - Interfaces
         - { name: INETIF, value: eth0 }
@@ -74,12 +74,12 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git
         - { name: vpn, type: ipv4 }
         - { name: inet, 
             type: ipv4,
-            interface: { name: $INETIF, broadcast: detect, options: "blacklist,routeback,nosmurfs" }
+            interface: { name: $INETIF, broadcast: detect, options: "routeback,nosmurfs" }
           }
         - { 
             name: lan, 
             type: ipv4,
-            interface: { name: $LANIF, broadcast: detect, options: "blacklist,routeback,bridge,nosmurfs" }
+            interface: { name: $LANIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
           }
       policy:
         - { source: fw,    dest: all,   policy: ACCEPT }
@@ -96,8 +96,8 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git
         - { action: SSH/ACCEPT,  source: inet, dest: fw }
         - PING Rules
         - { action: Ping/ACCEPT, source: all, dest: all }
-      masq:
-        - { interface: $INETIF, source: 192.168.213.0/24 }
+      snat:
+        - { dest: $INETIF, source: 192.168.213.0/24 }
       params:
         - Interfaces
         - { name: INETIF, value: eth0 }
@@ -107,7 +107,7 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git
         - { name: VPNNET, value: "10.10.111.0/24" } 
       hosts:
         - Test
-        - { zone: vpn, host: $OVPNIF:$VPNNET, options: "blacklist" }
+        - { zone: vpn, host: $OVPNIF:$VPNNET, options: "" }
       tunnels:
         - OpenVPN-Tunnel:
         - { type: "openvpn:1194", zone: ovpn, gateway: "0.0.0.0/0" }
@@ -122,12 +122,12 @@ shorewall6_configs:
       zones:
         - { name: inet, 
             type: ipv6,
-            interface: { name: $INETIF, broadcast: detect, options: "blacklist,routeback,nosmurfs" }
+            interface: { name: $INETIF, broadcast: detect, options: "routeback,nosmurfs" }
           }
         - { 
             name: lan, 
             type: ipv6,
-            interface: { name: $LANIF, broadcast: detect, options: "blacklist,routeback,bridge,nosmurfs" }
+            interface: { name: $LANIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
           }
       policy:
         - { source: fw,    dest: all,   policy: ACCEPT }
@@ -158,6 +158,6 @@ MIT
 
 # Author information
 
-TOSCOM [**(http://www.toscom.at/)**](http://www.toscom.at)
+Wolfgang Hotwagner
 
 Author of the forked Project: ELAO [**(http://www.elao.com/)**](http://www.elao.com)
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -6,4 +6,5 @@ shorewall_ipforward: "On"
 shorewall_configs_dir: /etc/shorewall
 shorewall6_configs_dir: /etc/shorewall6
 shorewall_configs:     []
-shorewall6_configs:    false
+shorewall6_enable: False
+shorewall6_configs:    []
diff --git a/meta/main.yml b/meta/main.yml
@@ -5,15 +5,19 @@ dependencies: []
 galaxy_info:
 
   author:              Wolfgang Hotwagner
-  company:             Toscom
   description: >
     Shorewall ( forked from Elao )
   license: MIT
-  min_ansible_version: 1.7.2
+  min_ansible_version: 2.7
   platforms:
     - name: Debian
       versions:
-        - jessie
+        - bullseye
+    - name: Ubuntu
+      versions:
+        - 20.04
   categories:
     - development
     - web
+    - firewall
+    - security
diff --git a/tasks/configs.yml b/tasks/configs.yml
@@ -14,7 +14,7 @@
   template:
     src:  "{{ item.key }}.j2"
     dest: "{{ shorewall_configs_dir }}/{{ item.key }}"
-  with_dict: shorewall_configs 
+  with_dict: "{{ shorewall_configs }}"
   notify:
     - shorewall restart
 

diff --git a/tasks/configsipv6.yml b/tasks/configsipv6.yml
@@ -8,19 +8,22 @@
     state=present
   notify:
     - shorewall6 restart
+  when: shorewall6_enable
 
 - name: shorewall6 config > Templates
 #  debug: msg="User {{ item.key }}"
   template:
     src:  "{{ item.key }}.j2"
     dest: "{{ shorewall6_configs_dir }}/{{ item.key }}"
-  with_dict: shorewall6_configs 
+  with_dict: "{{ shorewall6_configs }}"
   notify:
     - shorewall6 restart
+  when: shorewall6_enable
 
 - name: config interfaces
   template:
     src:  "interfaces.j2"
     dest: "{{ shorewall6_configs_dir }}/interfaces"
   notify:
     - shorewall6 restart
+  when: shorewall6_enable
diff --git a/tasks/debian.yml b/tasks/debian.yml
@@ -2,10 +2,8 @@
 
 - name: install > Packages
   apt:
-    name:  "{{ item }}"
     state: present
-  with_items:
-    - shorewall
+    pkg: shorewall
 
 - name: enable startup at boot
   lineinfile: >

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -6,4 +6,4 @@
 - include: configs.yml
 
 - include: configsipv6.yml
-  when: shorewall6_configs != False
+  when: shorewall6_enable
diff --git a/templates/snat.j2 b/templates/snat.j2
@@ -0,0 +1,14 @@
+##
+# Shorewall -- /etc/shorewall/snat
+#
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+#
+###########################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+{% for entry in item.value  %}
+{% if entry['dest'] is defined %}
+{{ entry['action'] | default('MASQUERADE') }}   {{entry['source'] | default('-')}}   {{entry['dest']}}   {{entry['proto'] | default('-')}} {{entry['port'] | default('-')}} {{entry['ipsec'] | default('-')}} {{entry['mark'] | default('-')}} {{entry['user'] | default('-')}} {{entry['switch'] | default('-')}} {{entry['origdest'] | default('-')}} {{entry['probability'] | default('-')}}
+{% endif %}
+{% endfor %}