Loading defaults/main.yaml +7 −1 Original line number Diff line number Diff line --- # Default variables for ans-router # interfaces wan_interface: "eth0" lan_interface: "eth1" # nat rules nat_port_forwards: [] handlers/main.yaml +12 −1 Original line number Diff line number Diff line --- # Handlers for ans-router - name: "restart iptables" ansible.builtin.service: name: "iptables" state: "restarted" when: "ipv4_enabled" - name: "restart ip6tables" ansible.builtin.service: name: "ip6tables" state: "restarted" when: "ipv6_enabled" meta/main.yaml +5 −7 Original line number Diff line number Diff line --- # meta information for ans-router galaxy_info: role_name: router namespace: siempie author: Simon description: Configure router on Alpine Linux license: MIT author: "Simon" description: "Alpine Linux router with NAT and firewall" license: "MIT" min_ansible_version: "2.14" platforms: - name: Alpine - name: "Alpine" versions: - "3.23" dependencies: [] tasks/firewall.yaml +141 −1 Original line number Diff line number Diff line --- # Configure firewall # deploy ipv4 iptable rules - name: "firewall - ipv4 rules" ansible.builtin.copy: dest: "/etc/iptables/rules-save" mode: "0600" owner: "root" group: "root" content: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # NAT masquerade from LAN to WAN -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE {% for forward in nat_port_forwards %} # {{ forward.name }} -A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }} {% endfor %} COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT {% for forward in nat_port_forwards %} # {{ forward.name }} -A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT {% endfor %} COMMIT notify: "restart iptables" when: "ipv4_enabled" # deploy ipv6 iptable rules - name: "firewall - deploy ipv6 rules" ansible.builtin.copy: dest: "/etc/ip6tables/rules-save" mode: "0600" owner: "root" group: "root" content: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow ICMPv6 (required for NDP/RA) -A INPUT -p ipv6-icmp -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT COMMIT notify: "restart ip6tables" when: "ipv6_enabled" # remove iptables rules when disabled - name: "firewall - remove ipv4 rules" ansible.builtin.file: path: "/etc/iptables/rules-save" state: "absent" notify: "restart iptables" when: "not ipv4_enabled" # remove ip6tables rules when disabled - name: "firewall - remove ipv6 rules" ansible.builtin.file: path: "/etc/ip6tables/rules-save" state: "absent" notify: "restart ip6tables" when: "not ipv6_enabled" # load nf_conntrack module - name: "firewall - load nf_conntrack module" community.general.modprobe: name: "nf_conntrack" state: "present" when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack hashsize - name: "firewall - configure nf_conntrack hashsize" ansible.builtin.lineinfile: path: "/etc/modprobe.d/nf_conntrack.conf" line: "options nf_conntrack hashsize=16384" create: true mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # load nf_conntrack at boot - name: "firewall - load nf_conntrack at boot" ansible.builtin.lineinfile: path: "/etc/modules" line: "nf_conntrack" create: true mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # set nf_conntrack hashsize at runtime - name: "firewall - set nf_conntrack hashsize runtime" ansible.builtin.shell: cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize" changed_when: false when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack sysctl settings - name: "firewall - configure conntrack sysctl settings" ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: "present" sysctl_file: "/etc/sysctl.conf" reload: false loop: - name: "net.netfilter.nf_conntrack_max" value: "16384" - name: "net.netfilter.nf_conntrack_tcp_timeout_established" value: "3600" - name: "net.netfilter.nf_conntrack_generic_timeout" value: "120" when: "ipv4_enabled or ipv6_enabled" tasks/install.yamldeleted 100644 → 0 +0 −2 Original line number Diff line number Diff line --- # Install router components Loading
defaults/main.yaml +7 −1 Original line number Diff line number Diff line --- # Default variables for ans-router # interfaces wan_interface: "eth0" lan_interface: "eth1" # nat rules nat_port_forwards: []
handlers/main.yaml +12 −1 Original line number Diff line number Diff line --- # Handlers for ans-router - name: "restart iptables" ansible.builtin.service: name: "iptables" state: "restarted" when: "ipv4_enabled" - name: "restart ip6tables" ansible.builtin.service: name: "ip6tables" state: "restarted" when: "ipv6_enabled"
meta/main.yaml +5 −7 Original line number Diff line number Diff line --- # meta information for ans-router galaxy_info: role_name: router namespace: siempie author: Simon description: Configure router on Alpine Linux license: MIT author: "Simon" description: "Alpine Linux router with NAT and firewall" license: "MIT" min_ansible_version: "2.14" platforms: - name: Alpine - name: "Alpine" versions: - "3.23" dependencies: []
tasks/firewall.yaml +141 −1 Original line number Diff line number Diff line --- # Configure firewall # deploy ipv4 iptable rules - name: "firewall - ipv4 rules" ansible.builtin.copy: dest: "/etc/iptables/rules-save" mode: "0600" owner: "root" group: "root" content: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # NAT masquerade from LAN to WAN -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE {% for forward in nat_port_forwards %} # {{ forward.name }} -A PREROUTING -i {{ wan_interface }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j DNAT --to-destination {{ forward.dst }}:{{ forward.port }} {% endfor %} COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT {% for forward in nat_port_forwards %} # {{ forward.name }} -A FORWARD -i {{ wan_interface }} -o {{ lan_interface }} -d {{ forward.dst }} -p {{ forward.protocol | default('tcp') }} --dport {{ forward.port }} -j ACCEPT {% endfor %} COMMIT notify: "restart iptables" when: "ipv4_enabled" # deploy ipv6 iptable rules - name: "firewall - deploy ipv6 rules" ansible.builtin.copy: dest: "/etc/ip6tables/rules-save" mode: "0600" owner: "root" group: "root" content: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow ICMPv6 (required for NDP/RA) -A INPUT -p ipv6-icmp -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT COMMIT notify: "restart ip6tables" when: "ipv6_enabled" # remove iptables rules when disabled - name: "firewall - remove ipv4 rules" ansible.builtin.file: path: "/etc/iptables/rules-save" state: "absent" notify: "restart iptables" when: "not ipv4_enabled" # remove ip6tables rules when disabled - name: "firewall - remove ipv6 rules" ansible.builtin.file: path: "/etc/ip6tables/rules-save" state: "absent" notify: "restart ip6tables" when: "not ipv6_enabled" # load nf_conntrack module - name: "firewall - load nf_conntrack module" community.general.modprobe: name: "nf_conntrack" state: "present" when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack hashsize - name: "firewall - configure nf_conntrack hashsize" ansible.builtin.lineinfile: path: "/etc/modprobe.d/nf_conntrack.conf" line: "options nf_conntrack hashsize=16384" create: true mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # load nf_conntrack at boot - name: "firewall - load nf_conntrack at boot" ansible.builtin.lineinfile: path: "/etc/modules" line: "nf_conntrack" create: true mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # set nf_conntrack hashsize at runtime - name: "firewall - set nf_conntrack hashsize runtime" ansible.builtin.shell: cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize" changed_when: false when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack sysctl settings - name: "firewall - configure conntrack sysctl settings" ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: "present" sysctl_file: "/etc/sysctl.conf" reload: false loop: - name: "net.netfilter.nf_conntrack_max" value: "16384" - name: "net.netfilter.nf_conntrack_tcp_timeout_established" value: "3600" - name: "net.netfilter.nf_conntrack_generic_timeout" value: "120" when: "ipv4_enabled or ipv6_enabled"
tasks/install.yamldeleted 100644 → 0 +0 −2 Original line number Diff line number Diff line --- # Install router components
