[wireguard] Use nftables on boeing

2020-08-24 13:46:07 +02:00 · 2020-08-24 13:46:07 +02:00 · 17dddde252
parent de0e30b807
commit 17dddde252
4 changed files with 61 additions and 4 deletions
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@ -8,7 +8,8 @@
      sputnik: true
      private_key: "{{ vault_wireguard_sputnik_private_key }}"
      peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
-  roles: ["wireguard"]
+  roles:
+    - wireguard

 - hosts: boeing.adm.crans.org
  vars:
@ -19,4 +20,5 @@
      if: ens20
      private_key: "{{ vault_wireguard_boeing_private_key }}"
      peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
-  roles: ["wireguard"]
+  roles:
+    - wireguard
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -46,3 +46,29 @@
    name: wg-quick@sputnik
    state: started
    enabled: true
+
+- name: Install nftables
+  apt:
+    name: nftables
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+  when: not wireguard.sputnik
+
+- name: Deploy nftables.conf
+  template:
+    src: nftables.conf
+    dest: /etc/nftables.conf
+    mode: 0644
+    owner: root
+    group: root
+  when: not wireguard.sputnik
+
+- name: Enable and start nftables
+  systemd:
+    name: nftables
+    enabled: true
+    state: started
+  when: not wireguard.sputnik
--- a/roles/wireguard/templates/nftables.conf
+++ b/roles/wireguard/templates/nftables.conf
@ -0,0 +1,29 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+	}
+}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+	}
+	chain forward {
+		type filter hook forward priority 0;
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@ -17,8 +17,8 @@ Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}

-# PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
-# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+PostUp =   ifup   {{ wireguard.if }}; systemctl start nftables
+PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables

 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}