feat: add incoming fw rules, fixed routes and improved docs (c1aafd19) · Commits · ansible / ans-router

defaults/main.yaml

+3 −0

+2 −4

Original line number	Diff line number	Diff line
		@@ -7,12 +7,10 @@
		state: "restarted"

		# apply local routes
		- name: "apply routes"
		- name: "apply routes - add static routes"
		ansible.builtin.shell:
		cmd: \|
		{% for route in static_routes %}
		ip route replace {{ route.destination }} via {{ route.gateway }}
		{% if route.interface is defined %}dev {{ route.interface }}{% endif %}
		ip route replace {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }}{{ ' metric ' + route.metric if route.metric is defined else '' }}
		{% endfor %}
		when: "static_routes \| length > 0"
		changed_when: false

+76 −0

Original line number	Diff line number	Diff line
		@@ -16,3 +16,79 @@ This role configures router functionality on Alpine Linux.
		\| `routing` \| Configure routing and iptables \|
		\| `firewall` \| Configure firewall rules \|
		\| `performance` \| Configure performance tuning \|

		## Role Variables

		### Interfaces

		```yaml
		wan_interface: "eth0"
		lan_interface: "eth1"
		```

		### Static Routes

		```yaml
		static_routes:

		- name: "route to internal network 10.0.0.0/8 via 192.168.1.1"
		destination: "10.0.0.0/8"
		gateway: "192.168.1.1"

		- name: "route to dmz with custom metric"
		destination: "172.16.0.0/12"
		gateway: "192.168.1.254"
		metric: 100

		- name: "route with specific interface"
		destination: "192.168.100.0/24"
		gateway: "192.168.1.1"
		interface: "eth1"
		```

		### Incoming Firewall Rules

		```yaml
		incoming_firewall_rules:

		- name: "allow ssh from lan"
		source: "192.168.1.0/24"
		protocol: "tcp"
		port: 22

		- name: "allow https from lan"
		source: "192.168.1.0/24"
		protocol: "tcp"
		port: 443

		- name: "allow dns from lan"
		source: "192.168.1.0/24"
		protocol: "udp"
		port: 53

		- name: "allow ping from lan"
		source: "192.168.1.0/24"
		protocol: "icmp"
		port: 0
		```

		### NAT Port Forwards

		```yaml
		nat_port_forwards:

		- name: "forward http to web server"
		dst: "192.168.1.10"
		port: 80
		protocol: "tcp"

		- name: "forward https to web server"
		dst: "192.168.1.10"
		port: 443
		protocol: "tcp"

		- name: "forward ssh to internal server"
		dst: "192.168.1.20"
		port: 2222
		protocol: "tcp"
		```

+6 −0

Original line number	Diff line number	Diff line
		@@ -15,6 +15,12 @@ table inet filter {
		# Allow LAN management access
		iif {{ lan_interface }} accept

		# Allow incoming firewall rules
		{% for rule in incoming_firewall_rules %}
		# {{ rule.name }}
		iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol \| default('tcp') }} dport {{ rule.port }} accept
		{% endfor %}

		# Allow ICMP
		ip protocol icmp accept
		ip6 nexthdr ipv6-icmp accept