Forwarding rules are also needed. The ~nat~ table is a /post/ routing
rule set, so the default routing policy (~DENY~) will drop packets
before NAT can translate them. The following rules are added to allow
-packets to be forwarded from the campus Ethernet or its wild subnet
-to an ISP on the ~isp~ interface, and back (if related to an outgoing
-packet).
+packets to be forwarded from the campus Ethernet or its wild subnet to
+an ISP on the ~isp~ interface. A generic routing rule in UFW accepts
+any related or established packet (according to the kernel's
+connection tracking).
#+NAME: ufw-forward-nat
#+CAPTION: ~ufw-forward-nat~
#+BEGIN_SRC conf
--A FORWARD -i lan -o isp -j ACCEPT
--A FORWARD -i wild -o isp -j ACCEPT
--A FORWARD -i isp -o lan {{ ACCEPT_RELATED }}
--A FORWARD -i isp -o wild {{ ACCEPT_RELATED }}
+-A ufw-user-forward -i lan -o isp -j ACCEPT
+-A ufw-user-forward -i wild -o isp -j ACCEPT
#+END_SRC
-To keep the above code lines short, the template references an
-~ACCEPT_RELATED~ variable, provided by the task, whose value includes
-the following ~iptables(8)~ rule specification parameters.
-
-: -m state --state ESTABLISHED,RELATED -j ACCEPT
-
If "the standard ~iptables-restore~ syntax" as it is described in the
~ufw-framework~ manual page, allows continuation lines, please let us
know!
#+NAME: ufw-forward-private
#+CAPTION: ~ufw-forward-private~
#+BEGIN_SRC conf
--A FORWARD -i lan -o wg0 -j ACCEPT
--A FORWARD -i wg0 -o lan -j ACCEPT
+-A ufw-user-forward -i lan -o wg0 -j ACCEPT
+-A ufw-user-forward -i wg0 -o lan -j ACCEPT
+-A ufw-user-forward -i wg0 -o wg0 -j ACCEPT
#+END_SRC
+The third rule above may seem curious; it is. It short circuits
+filters in subsequent chains (e.g. ~ufw-reject-forward~) that, by
+default, log and reject packets, even those from subnet to the same
+subnet (if it is a WireGuard™ subnet?).
+
Note that there are no forwarding rules to allow packets to pass from
the ~wild~ device to the ~lan~ device, just the ~wg0~ device.
-** Install UFW
+** Configure UFW
The following tasks install the Uncomplicated Firewall (UFW), set its
-policy in =/etc/default/ufw=, and install the above rules in
-=/etc/ufw/before.rules=. When Gate is configured by ~./abbey config
-gate~ as in the example bootstrap, enabling the firewall should not be
-a problem. But when configuring a new gate with ~./abbey config
-new-gate~, enabling the firewall could break Ansible's current and
-future ssh sessions. For this reason, Ansible /does not/ enable the
-firewall. The administrator must login and execute the following
-command after Gate is configured or new gate is "in position"
-(connected to old Gate's ~wild~ and ~isp~ networks).
+policy in =/etc/default/ufw=, install the NAT rules in
+=/etc/ufw/before.rules=, and the Forward rules in
+=/etc/ufw/user.rules= (where the ~ufw-user-forward~ chain
+is... mentioned?).
+
+When Gate is configured by ~./abbey config gate~ as in the example
+bootstrap, enabling the firewall should not be a problem. But when
+configuring a new gate with ~./abbey config new-gate~, enabling the
+firewall could break Ansible's current and future ssh sessions. For
+this reason, Ansible /does not/ enable the firewall.
+
+The administrator must login and execute the following command after
+Gate is configured or new gate is "in position" (connected to old
+Gate's ~wild~ and ~isp~ networks).
: sudo ufw enable
- { line: "DEFAULT_FORWARD_POLICY=\"DROP\"",
regexp: "^DEFAULT_FORWARD_POLICY=" }
-- name: Configure UFW rules.
+- name: Configure UFW NAT rules.
become: yes
- vars:
- ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT
blockinfile:
- path: /etc/ufw/before.rules
block: |
*nat
:POSTROUTING ACCEPT [0:0]
<<ufw-nat>>
COMMIT
+ dest: /etc/ufw/before.rules
+ insertafter: EOF
+ prepend_newline: yes
+- name: Configure UFW FORWARD rules.
+ become: yes
+ blockinfile:
+ block: |
*filter
<<ufw-forward-nat>>
<<ufw-forward-private>>
COMMIT
+ dest: /etc/ufw/user.rules
insertafter: EOF
+ prepend_newline: yes
#+END_SRC
** Configure DHCP For The Wild Ethernet
- { line: "DEFAULT_FORWARD_POLICY=\"DROP\"",
regexp: "^DEFAULT_FORWARD_POLICY=" }
-- name: Configure UFW rules.
+- name: Configure UFW NAT rules.
become: yes
- vars:
- ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT
blockinfile:
- path: /etc/ufw/before.rules
block: |
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE
-A POSTROUTING -s {{ wild_net_cidr }} -o isp -j MASQUERADE
COMMIT
+ dest: /etc/ufw/before.rules
+ insertafter: EOF
+ prepend_newline: yes
+- name: Configure UFW FORWARD rules.
+ become: yes
+ blockinfile:
+ block: |
*filter
- -A FORWARD -i lan -o isp -j ACCEPT
- -A FORWARD -i wild -o isp -j ACCEPT
- -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }}
- -A FORWARD -i isp -o wild {{ ACCEPT_RELATED }}
- -A FORWARD -i lan -o wg0 -j ACCEPT
- -A FORWARD -i wg0 -o lan -j ACCEPT
+ -A ufw-user-forward -i lan -o isp -j ACCEPT
+ -A ufw-user-forward -i wild -o isp -j ACCEPT
+ -A ufw-user-forward -i lan -o wg0 -j ACCEPT
+ -A ufw-user-forward -i wg0 -o lan -j ACCEPT
+ -A ufw-user-forward -i wg0 -o wg0 -j ACCEPT
COMMIT
+ dest: /etc/ufw/user.rules
insertafter: EOF
+ prepend_newline: yes
- name: Install DHCP server.
become: yes
projects / Institute / commitdiff