vpn: refs #8748 - Iptables approche - what to do

roles/ipsec/defaults/main.yml

@@ -5,6 +5,7 @@ strongswan_requeriments:
   - tcpdump
   - iperf
   - conntrack
+  - iptables-persistent
 certificates:
   - { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
   - { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }

roles/ipsec/tasks/ipsec.yml

@@ -36,4 +36,28 @@
     dest: /etc/strongswan.d/vn.conf
     owner: root
     group: root
-    mode: u=rw,g=r,o=r
+    mode: u=rw,g=r,o=r
+- name: IP forward as a router
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+    sysctl_set: yes
+    reload: yes
+- name: Add iptables rules in rules.v4 file
+  blockinfile:
+    path: /etc/iptables/rules.v4
+    marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN MANGED"
+    block: |
+      *mangle
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :FORWARD ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
+      -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360    
+  register: iptables
+- name: Reload iptables rules
+  command: netfilter-persistent reload
+  when: iptables.changed