Merge pull request '8748_VPN_Conntrack' (!81) from 8748_VPN_Conntrack into main

Reviewed-on: #81
Reviewed-by: Juan Ferrer <juan@verdnatura.es>

roles/ipsec/defaults/main.yml

@@ -24,6 +24,13 @@ mangle_block: |
   -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
   -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
   COMMIT
+  *filter
+  :INPUT ACCEPT [0:0]
+  :FORWARD ACCEPT [0:0]
+  :OUTPUT ACCEPT [0:0]
+  -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+  -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: "
+  COMMIT
 config_and_logrotate:
   - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
   - { src: charon, dest: '/etc/logrotate.d/charon' }

roles/ns/defaults/main.yml

@@ -18,12 +18,12 @@ bind_config_templates:
   - { src: 'dhcp.key', dest: '/etc/bind/keys/dhcp.key', mode: 'u=rw,g=r,o=' }
   - { src: 'isp1.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' }
   - { src: 'isp2.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' }
+  - { src: 'delete.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' }
 directory:
   - { path: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
   - { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' }
   - { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' }
 required_files:
-  - { src: 'delete.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' }
   - { src: 'switch-isp.sh', dest: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
   - { src: 'sync-conf', dest: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
   - { src: 'gen-key.sh', dest: '/root/scripts', owner: 'root', group: 'bind', mode: 'u=rwx,g=rx,o=rx' }

roles/ns/files/delete.ns

@@ -1,14 +0,0 @@
-update delete verdnatura.es              A
-update delete kube-proxy.verdnatura.es   A
-update delete smtp.verdnatura.es         A
-update delete imap.verdnatura.es         A
-update delete autodiscover.verdnatura.es A
-update delete time1.verdnatura.es        A
-update delete time2.verdnatura.es        A
-update delete dc-ip01.verdnatura.es      A
-update delete dc-ip02.verdnatura.es      A
-update delete dc-ip03.verdnatura.es      A
-update delete dc-ip04.verdnatura.es      A
-update delete mailgw1.verdnatura.es      A
-update delete mailgw2.verdnatura.es      A
-send

roles/ns/tasks/ns.yml

@@ -6,6 +6,13 @@
     name: "{{ bind_packages }}"
     state: present
     install_recommends: no
+- name: Ensure BIND9 starts with IPv4 only (-4)
+  lineinfile:
+    path: /etc/default/named
+    regexp: '^OPTIONS='
+    line: 'OPTIONS="-u bind -4"'
+    backrefs: yes
+  notify: restart-dns
 - name: Create directory
   file:
     path: "{{ item.path }}"

roles/ns/templates/delete.ns

@@ -0,0 +1,4 @@
+{% for record in dns_records_delete %}
+update delete {{ record.name.ljust(30) }} A  
+{% endfor %}
+send

roles/ns/templates/named.conf.master.j2

@@ -15,17 +15,23 @@ options {
 };
 
 view "lan" {
-        match-clients {
-        {% for item in key_match_clients_lan_master if item.startswith("!key") %}
-          {{ item }};
-          {% endfor %}
+    match-clients {
+{% for item in key_match_clients_lan_master if item.startswith("!key") %}
+        {{ item }};
+{% endfor %}
 {% for item in acl_match_clients %}
         {{ item }};
-          {% endfor %}
+{% endfor %}
 {% for item in key_match_clients_lan_master if not item.startswith("!key") %}
         {{ item }};
-          {% endfor %}
-};
+{% endfor %}
+    };
+
+    plugin query "filter-aaaa.so" {
+        filter-aaaa-on-v4 yes;
+        filter-aaaa-on-v6 yes;
+        filter-aaaa { any; };
+    };
 
     recursion yes;
     allow-recursion { any; };
@@ -34,14 +40,14 @@ view "lan" {
 
     include "/etc/bind/named.conf.default-zones";
 
-    {% for zone in bind_zones.lan %}
+{% for zone in bind_zones.lan %}
     zone "{{ zone.name }}" {
         type master;
         forwarders {};
         allow-update { key {{ zone.key }}; };
         file "{{ zone.file }}";
     };
-    {% endfor %}
+{% endfor %}
 };
 
 view "wan" {
@@ -54,25 +60,26 @@ view "wan" {
     notify explicit;
 
     also-notify {
-    {% for entry in bind_also_notify %}
+{% for entry in bind_also_notify %}
         {{ entry.ip }} key {{ entry.key }};
-    {% endfor %}
+{% endfor %}
     };
 
-    {% for zone in bind_zones.wan %}
-    {% if zone.in_view is defined %}
-    {% for z in zone.in_view %}
+{% for zone in bind_zones.wan %}
+{% if zone.in_view is defined %}
+{% for z in zone.in_view %}
     zone "{{ z }}" {
         in-view "lan";
     };
-    {% endfor %}
-    {% else %}
+{% endfor %}
+{% else %}
     zone "{{ zone.name }}" {
         type master;
         forwarders {};
         allow-update { key {{ zone.key }}; };
         file "{{ zone.file }}";
     };
-    {% endif %}
-    {% endfor %}
+{% endif %}
+{% endfor %}
 };
+

roles/ns/templates/named.conf.slave.j2

@@ -20,17 +20,22 @@ masters master-ips {
 
 view "lan" {
         match-clients {
-        {% for item in key_match_clients_lan_master if item.startswith("!key") %}
+        {%- for item in key_match_clients_lan_master if item.startswith("!key") -%}
           {{ item }};
           {% endfor %}
-{% for item in acl_match_clients %}
+{%- for item in acl_match_clients -%}
         {{ item }};
           {% endfor %}
-{% for item in key_match_clients_lan_slave if not item.startswith("!key") %}
+{%- for item in key_match_clients_lan_slave if not item.startswith("!key") -%}
         {{ item }};
           {% endfor %}
 };
 
+    plugin query "filter-aaaa.so" {
+        filter-aaaa-on-v4 yes;
+        filter-aaaa-on-v6 yes;
+        filter-aaaa { any; };
+    };
     recursion yes;
     allow-recursion { any; };
     empty-zones-enable yes;