diff --git a/README.md b/README.md index e301d2b..6ce98a9 100644 --- a/README.md +++ b/README.md @@ -32,12 +32,12 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git zones: - { name: inet, type: ipv4, - interface: { name: $INETIF, broadcast: detect, options: "blacklist,routeback,nosmurfs" } + interface: { name: $INETIF, broadcast: detect, options: "routeback,nosmurfs" } } - { name: lan, type: ipv4, - interface: { name: $LANIF, broadcast: detect, options: "blacklist,routeback,bridge,nosmurfs" } + interface: { name: $LANIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } policy: - { source: fw, dest: all, policy: ACCEPT } @@ -54,8 +54,8 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git - { action: ACCEPT, source: inet, dest: fw, proto: tcp, dest_port: "443,8006" } - PING Rules - { action: Ping/ACCEPT, source: all, dest: all } - masq: - - { interface: $INETIF, source: 192.168.213.0/24 } + snat: + - { dest: $INETIF, source: 192.168.213.0/24 } params: - Interfaces - { name: INETIF, value: eth0 } @@ -74,12 +74,12 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git - { name: vpn, type: ipv4 } - { name: inet, type: ipv4, - interface: { name: $INETIF, broadcast: detect, options: "blacklist,routeback,nosmurfs" } + interface: { name: $INETIF, broadcast: detect, options: "routeback,nosmurfs" } } - { name: lan, type: ipv4, - interface: { name: $LANIF, broadcast: detect, options: "blacklist,routeback,bridge,nosmurfs" } + interface: { name: $LANIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } policy: - { source: fw, dest: all, policy: ACCEPT } @@ -96,8 +96,8 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git - { action: SSH/ACCEPT, source: inet, dest: fw } - PING Rules - { action: Ping/ACCEPT, source: all, dest: all } - masq: - - { interface: $INETIF, source: 192.168.213.0/24 } + snat: + - { dest: $INETIF, source: 192.168.213.0/24 } params: - Interfaces - { name: INETIF, value: eth0 } @@ -107,7 +107,7 @@ git clone https://github.com/whotwagner/ansible-role-shorewall.git - { name: VPNNET, value: "10.10.111.0/24" } hosts: - Test - - { zone: vpn, host: $OVPNIF:$VPNNET, options: "blacklist" } + - { zone: vpn, host: $OVPNIF:$VPNNET, options: "" } tunnels: - OpenVPN-Tunnel: - { type: "openvpn:1194", zone: ovpn, gateway: "0.0.0.0/0" } @@ -122,12 +122,12 @@ shorewall6_configs: zones: - { name: inet, type: ipv6, - interface: { name: $INETIF, broadcast: detect, options: "blacklist,routeback,nosmurfs" } + interface: { name: $INETIF, broadcast: detect, options: "routeback,nosmurfs" } } - { name: lan, type: ipv6, - interface: { name: $LANIF, broadcast: detect, options: "blacklist,routeback,bridge,nosmurfs" } + interface: { name: $LANIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } policy: - { source: fw, dest: all, policy: ACCEPT } @@ -158,6 +158,6 @@ MIT # Author information -TOSCOM [**(http://www.toscom.at/)**](http://www.toscom.at) +Wolfgang Hotwagner Author of the forked Project: ELAO [**(http://www.elao.com/)**](http://www.elao.com) diff --git a/defaults/main.yml b/defaults/main.yml index 0364913..cb7cd95 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,4 +6,5 @@ shorewall_ipforward: "On" shorewall_configs_dir: /etc/shorewall shorewall6_configs_dir: /etc/shorewall6 shorewall_configs: [] -shorewall6_configs: false +shorewall6_enable: False +shorewall6_configs: [] diff --git a/meta/main.yml b/meta/main.yml index 53daa3c..d9e65ec 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,15 +5,19 @@ dependencies: [] galaxy_info: author: Wolfgang Hotwagner - company: Toscom description: > Shorewall ( forked from Elao ) license: MIT - min_ansible_version: 1.7.2 + min_ansible_version: 2.7 platforms: - name: Debian versions: - - jessie + - bullseye + - name: Ubuntu + versions: + - 20.04 categories: - development - web + - firewall + - security diff --git a/tasks/configs.yml b/tasks/configs.yml index 54f25cb..c1dd7ff 100644 --- a/tasks/configs.yml +++ b/tasks/configs.yml @@ -14,7 +14,7 @@ template: src: "{{ item.key }}.j2" dest: "{{ shorewall_configs_dir }}/{{ item.key }}" - with_dict: shorewall_configs + with_dict: "{{ shorewall_configs }}" notify: - shorewall restart diff --git a/tasks/configsipv6.yml b/tasks/configsipv6.yml index 9ef865c..1ebac41 100644 --- a/tasks/configsipv6.yml +++ b/tasks/configsipv6.yml @@ -8,15 +8,17 @@ state=present notify: - shorewall6 restart + when: shorewall6_enable - name: shorewall6 config > Templates # debug: msg="User {{ item.key }}" template: src: "{{ item.key }}.j2" dest: "{{ shorewall6_configs_dir }}/{{ item.key }}" - with_dict: shorewall6_configs + with_dict: "{{ shorewall6_configs }}" notify: - shorewall6 restart + when: shorewall6_enable - name: config interfaces template: @@ -24,3 +26,4 @@ dest: "{{ shorewall6_configs_dir }}/interfaces" notify: - shorewall6 restart + when: shorewall6_enable diff --git a/tasks/debian.yml b/tasks/debian.yml index 85708e8..92f668b 100644 --- a/tasks/debian.yml +++ b/tasks/debian.yml @@ -2,10 +2,8 @@ - name: install > Packages apt: - name: "{{ item }}" state: present - with_items: - - shorewall + pkg: shorewall - name: enable startup at boot lineinfile: > diff --git a/tasks/main.yml b/tasks/main.yml index 14a7ee3..6a8911d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,4 +6,4 @@ - include: configs.yml - include: configsipv6.yml - when: shorewall6_configs != False + when: shorewall6_enable diff --git a/templates/snat.j2 b/templates/snat.j2 new file mode 100644 index 0000000..42f5e55 --- /dev/null +++ b/templates/snat.j2 @@ -0,0 +1,14 @@ +## +# Shorewall -- /etc/shorewall/snat +# +# For information about entries in this file, type "man shorewall-snat" +# +# See http://shorewall.net/manpages/shorewall-snat.html for more information +# +########################################################################################################################################### +#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +{% for entry in item.value %} +{% if entry['dest'] is defined %} +{{ entry['action'] | default('MASQUERADE') }} {{entry['source'] | default('-')}} {{entry['dest']}} {{entry['proto'] | default('-')}} {{entry['port'] | default('-')}} {{entry['ipsec'] | default('-')}} {{entry['mark'] | default('-')}} {{entry['user'] | default('-')}} {{entry['switch'] | default('-')}} {{entry['origdest'] | default('-')}} {{entry['probability'] | default('-')}} +{% endif %} +{% endfor %}