From 651ee7edf620b7a7eba914da4884b1a05a2ce1da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 28 Mar 2025 14:12:42 +0100 Subject: [PATCH 1/3] dns: refs #8552 - disable ipv6 and move delete ns file --- roles/ns/defaults/main.yml | 2 +- roles/ns/files/delete.ns | 14 -------------- roles/ns/tasks/ns.yml | 7 +++++++ roles/ns/templates/delete.ns | 4 ++++ roles/ns/templates/named.conf.master.j2 | 6 ++++++ roles/ns/templates/named.conf.slave.j2 | 11 ++++++++--- 6 files changed, 26 insertions(+), 18 deletions(-) delete mode 100644 roles/ns/files/delete.ns create mode 100644 roles/ns/templates/delete.ns diff --git a/roles/ns/defaults/main.yml b/roles/ns/defaults/main.yml index daeccf4..4b1213f 100644 --- a/roles/ns/defaults/main.yml +++ b/roles/ns/defaults/main.yml @@ -18,12 +18,12 @@ bind_config_templates: - { src: 'dhcp.key', dest: '/etc/bind/keys/dhcp.key', mode: 'u=rw,g=r,o=' } - { src: 'isp1.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' } - { src: 'isp2.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' } + - { src: 'delete.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' } directory: - { path: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' } - { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' } - { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' } required_files: - - { src: 'delete.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' } - { src: 'switch-isp.sh', dest: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' } - { src: 'sync-conf', dest: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' } - { src: 'gen-key.sh', dest: '/root/scripts', owner: 'root', group: 'bind', mode: 'u=rwx,g=rx,o=rx' } diff --git a/roles/ns/files/delete.ns b/roles/ns/files/delete.ns deleted file mode 100644 index cbb97ad..0000000 --- a/roles/ns/files/delete.ns +++ /dev/null @@ -1,14 +0,0 @@ -update delete verdnatura.es A -update delete kube-proxy.verdnatura.es A -update delete smtp.verdnatura.es A -update delete imap.verdnatura.es A -update delete autodiscover.verdnatura.es A -update delete time1.verdnatura.es A -update delete time2.verdnatura.es A -update delete dc-ip01.verdnatura.es A -update delete dc-ip02.verdnatura.es A -update delete dc-ip03.verdnatura.es A -update delete dc-ip04.verdnatura.es A -update delete mailgw1.verdnatura.es A -update delete mailgw2.verdnatura.es A -send diff --git a/roles/ns/tasks/ns.yml b/roles/ns/tasks/ns.yml index 7943efa..beb5d3a 100644 --- a/roles/ns/tasks/ns.yml +++ b/roles/ns/tasks/ns.yml @@ -6,6 +6,13 @@ name: "{{ bind_packages }}" state: present install_recommends: no +- name: Ensure BIND9 starts with IPv4 only (-4) + lineinfile: + path: /etc/default/named + regexp: '^OPTIONS=' + line: 'OPTIONS="-u bind -4"' + backrefs: yes + notify: restart-dns - name: Create directory file: path: "{{ item.path }}" diff --git a/roles/ns/templates/delete.ns b/roles/ns/templates/delete.ns new file mode 100644 index 0000000..899f5cc --- /dev/null +++ b/roles/ns/templates/delete.ns @@ -0,0 +1,4 @@ +{% for record in dns_records_delete %} +update delete {{ record.name.ljust(30) }} A +{% endfor %} +send diff --git a/roles/ns/templates/named.conf.master.j2 b/roles/ns/templates/named.conf.master.j2 index dc63834..e923cc5 100644 --- a/roles/ns/templates/named.conf.master.j2 +++ b/roles/ns/templates/named.conf.master.j2 @@ -27,6 +27,12 @@ view "lan" { {% endfor %} }; + plugin query "filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa-on-v6 yes; + filter-aaaa { any; }; + }; + recursion yes; allow-recursion { any; }; empty-zones-enable yes; diff --git a/roles/ns/templates/named.conf.slave.j2 b/roles/ns/templates/named.conf.slave.j2 index c1142a1..cfe4ade 100644 --- a/roles/ns/templates/named.conf.slave.j2 +++ b/roles/ns/templates/named.conf.slave.j2 @@ -20,17 +20,22 @@ masters master-ips { view "lan" { match-clients { - {% for item in key_match_clients_lan_master if item.startswith("!key") %} + {%- for item in key_match_clients_lan_master if item.startswith("!key") -%} {{ item }}; {% endfor %} -{% for item in acl_match_clients %} +{%- for item in acl_match_clients -%} {{ item }}; {% endfor %} -{% for item in key_match_clients_lan_slave if not item.startswith("!key") %} +{%- for item in key_match_clients_lan_slave if not item.startswith("!key") -%} {{ item }}; {% endfor %} }; + plugin query "filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa-on-v6 yes; + filter-aaaa { any; }; + }; recursion yes; allow-recursion { any; }; empty-zones-enable yes; -- 2.40.1 From 7ee760f5068da7a1acbae9ea6a0537ddb917e53d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 28 Mar 2025 15:49:06 +0100 Subject: [PATCH 2/3] dns: refs #8552 - indentation jinga master.conf --- roles/ns/templates/named.conf.master.j2 | 37 +++++++++++++------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/roles/ns/templates/named.conf.master.j2 b/roles/ns/templates/named.conf.master.j2 index e923cc5..3d0a2e0 100644 --- a/roles/ns/templates/named.conf.master.j2 +++ b/roles/ns/templates/named.conf.master.j2 @@ -15,17 +15,17 @@ options { }; view "lan" { - match-clients { - {% for item in key_match_clients_lan_master if item.startswith("!key") %} - {{ item }}; - {% endfor %} + match-clients { +{% for item in key_match_clients_lan_master if item.startswith("!key") %} + {{ item }}; +{% endfor %} {% for item in acl_match_clients %} {{ item }}; - {% endfor %} +{% endfor %} {% for item in key_match_clients_lan_master if not item.startswith("!key") %} {{ item }}; - {% endfor %} -}; +{% endfor %} + }; plugin query "filter-aaaa.so" { filter-aaaa-on-v4 yes; @@ -40,14 +40,14 @@ view "lan" { include "/etc/bind/named.conf.default-zones"; - {% for zone in bind_zones.lan %} +{% for zone in bind_zones.lan %} zone "{{ zone.name }}" { type master; forwarders {}; allow-update { key {{ zone.key }}; }; file "{{ zone.file }}"; }; - {% endfor %} +{% endfor %} }; view "wan" { @@ -60,25 +60,26 @@ view "wan" { notify explicit; also-notify { - {% for entry in bind_also_notify %} +{% for entry in bind_also_notify %} {{ entry.ip }} key {{ entry.key }}; - {% endfor %} +{% endfor %} }; - {% for zone in bind_zones.wan %} - {% if zone.in_view is defined %} - {% for z in zone.in_view %} +{% for zone in bind_zones.wan %} +{% if zone.in_view is defined %} +{% for z in zone.in_view %} zone "{{ z }}" { in-view "lan"; }; - {% endfor %} - {% else %} +{% endfor %} +{% else %} zone "{{ zone.name }}" { type master; forwarders {}; allow-update { key {{ zone.key }}; }; file "{{ zone.file }}"; }; - {% endif %} - {% endfor %} +{% endif %} +{% endfor %} }; + -- 2.40.1 From 0e073c7ba12b7e650cd1ff14f7f66341bf892f9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 2 Apr 2025 11:34:17 +0200 Subject: [PATCH 3/3] vpn: refs #8748 - add conntrack iptables default block --- roles/ipsec/defaults/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml index c8b1cd0..a7d3b9d 100644 --- a/roles/ipsec/defaults/main.yml +++ b/roles/ipsec/defaults/main.yml @@ -24,6 +24,13 @@ mangle_block: | -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT + *filter + :INPUT ACCEPT [0:0] + :FORWARD ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT + -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: " + COMMIT config_and_logrotate: - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' } - { src: charon, dest: '/etc/logrotate.d/charon' } -- 2.40.1