Add failing firewall configuration

2024-04-15 09:46:00 +02:00 · 2024-04-15 09:46:00 +02:00 · 2502d034d9
commit 2502d034d9
parent e06547e25c
3 changed files with 20 additions and 20 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -9,15 +9,15 @@
  roles:
    # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
    # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
-    - role: devsec.hardening.ssh_hardening
-      become: true
-    - role: hostname
+    # - role: devsec.hardening.ssh_hardening
+    #   become: true
+    # - role: hostname
    - role: basic-intalls
-    - role: user
-    - role: cloudflare-ddns
-    - role: reverse-proxy
-    - role: actual
-    # - role: pi-hole
+    # - role: user
+    # - role: cloudflare-ddns
+    # - role: reverse-proxy
+    # - role: actual
+    - role: pi-hole
  vars:
    # devsec.hardening.ssh_hardening vars:
    ssh_allow_users: 'thomas'
--- a/roles/basic-intalls/tasks/main.yml
+++ b/roles/basic-intalls/tasks/main.yml
@ -5,6 +5,7 @@
    pkg:
      - git
      - vim
+      - dnsutils
      - ufw
      - podman
      - snapd
@ -39,6 +40,12 @@
    regexp: '^#net/ipv4/ip_forward=1$'
    line: 'net/ipv4/ip_forward=1'
  notify: Restart ufw
+- name: Allow forwarding in sysctl
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/sysctl.conf
+    regexp: '^#net\.ipv4\.ip_forward=1$'
+    line: net.ipv4.ip_forward=1
 - name: Allow all access to ssh
  become: true
  community.general.ufw:
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@ -40,7 +40,7 @@
  containers.podman.podman_container:
    name: pi-hole
    image: docker.io/pihole/pihole:2024.03.2
-    restart_policy: on-failure # TODO: Doesn't restart containers on reboot for some reason...
+    restart_policy: on-failure
    publish:
    # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
    # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
@ -78,21 +78,14 @@
  become: true
  ansible.builtin.blockinfile:
    path: /etc/ufw/before.rules
-    insertafter: "^COMMIT$"
-    block: |-
+    insertbefore: "^\\*filter$"
+    block: |
      *nat
      :PREROUTING ACCEPT [0:0]
-      -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5053
-      -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5053
+      -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
+      -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
      COMMIT
  notify: Restart ufw
- name: Allow all access to https
-  become: true
-  community.general.ufw:
-    rule: allow
-    port: https
-    proto: tcp
-  notify: Restart ufw
 - name: Allow all access to port 53 (udp)
  become: true
  community.general.ufw: