Add iptables rules

roles/gateway-iptables/files/netfilter-persistent.default

@@ -0,0 +1,4 @@
+# Configuration for netfilter-persistent
+# Plugins may extend this file or have their own
+
+FLUSH_ON_STOP=0

roles/gateway-iptables/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Restart netfilter-persistent
+  service: name=netfilter-persistent state=restarted

roles/gateway-iptables/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Ensure iptables and iptables-persistent are installed
+  apt: name={{ item }} install_recommends=no
+  with_items:
+    - iptables
+    - iptables-persistent
+  notify:
+    - Restart netfilter-persistent
+
+- name: Configure netfilter-persistent
+  copy: src=netfilter-persistent.default dest=/etc/default/netfilter-persistent
+  notify:
+    - Restart netfilter-persistent
+
+- name: Install IPv6 iptables rules
+  template: src=rules.v6.j2 dest=/etc/iptables/rules.v6
+  notify:
+    - Restart netfilter-persistent
+
+- name: Install IPv4 iptables rules
+  template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
+  notify:
+    - Restart netfilter-persistent

roles/gateway-iptables/templates/rules.v4.j2

@@ -0,0 +1,38 @@
+# Generated by Ansible
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# MSS clamping
+{% if peers is defined %}{%for peer in peers %}
+-A POSTROUTING -o {{ peer.name }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280
+{%endfor%}{% endif %}
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# NAT
+{% if nat_ipv4 is defined and peers is defined %}{%for peer in peers %}
+-A POSTROUTING -s {{ ipv4_network }} -o {{ peer.name }} -j SNAT --to-source {{ nat_ipv4|ipaddr('address') }}
+{%endfor%}{% endif %}
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+# Drop bogus
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+# Fastd over mesh verbieten
+-A INPUT -s {{ ipv4_network }} -p udp -m udp --dport 10000 -m limit --limit 2/sec -j LOG --log-prefix "fastd over mesh: "
+-A INPUT -s {{ ipv4_network }} -p udp -m udp --dport 10000 -j REJECT --reject-with icmp-admin-prohibited
+# Drop invalid
+-A FORWARD -m state --state INVALID -j DROP
+# Fastd over mesh verbieten
+-A FORWARD -s {{ ipv4_network }} -p udp -m udp --dport 10000 -m limit --limit 2/sec -j LOG --log-prefix "fastd over mesh: "
+-A FORWARD -s {{ ipv4_network }} -p udp -m udp --dport 10000 -j REJECT --reject-with icmp-admin-prohibited
+COMMIT

roles/gateway-iptables/templates/rules.v6.j2

@@ -0,0 +1,17 @@
+# Generated by Ansible
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# MSS clamping
+{% if peers is defined %}{%for peer in peers %}
+-A POSTROUTING -o {{ peer.name }} -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:1220 -j TCPMSS --set-mss 1220
+{%endfor%}{% endif %}
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT

roles/gateway-peering/templates/peering_interfaces.j2

@@ -1,8 +1,8 @@
 {% if peers is defined %}
 {% for peer in peers %}
 {% if peer.gre_endpoint is defined %}
-auto peer-{{peer.name}}
-iface peer-{{peer.name}} inet tunnel
+auto {{peer.name}}
+iface {{peer.name}} inet tunnel
     mode gre
     ttl 64
     mtu 1400
@@ -12,7 +12,7 @@ iface peer-{{peer.name}} inet tunnel
     local {{primary_v4_address}}
     endpoint {{peer.gre_endpoint}}
 
-iface peer-{{peer.name}} inet6 static
+iface {{peer.name}} inet6 static
     address {{peer.source_ipv6}}
 
 {% endif %}

site.yml

@@ -16,6 +16,7 @@
   roles:
     - gateway-peering
     - gateway-nat
+    - gateway-iptables
     - mesh-batman
     - mesh-vpn-fastd
     - service-ntp