diff --git a/deploy_env/group_vars/all.yml b/deploy_env/group_vars/all.yml index 0d31f5f..c1a65cb 100644 --- a/deploy_env/group_vars/all.yml +++ b/deploy_env/group_vars/all.yml @@ -22,7 +22,7 @@ wannat_global: location_compare_type: 0 country_location: "Set_your_geographic_location_here" province_location: "Set_your_geographic_location_here" - ctrl_device_ip_addr: "172.26.121.58" + ctrl_device_name: "eth0" toroad: http_server_listen_port: 8888 diff --git a/roles/natgw/files/script/natgw_set_iptables_rule.sh b/roles/natgw/files/script/natgw_set_iptables_rule.sh new file mode 100644 index 0000000..5875436 --- /dev/null +++ b/roles/natgw/files/script/natgw_set_iptables_rule.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +if [ ! $1 ]; then + echo "must set device name!" + echo "Usage: $0 " + exit 1 +fi + +IP_ADDR_WITH_MASK=`ip addr show | grep $1 | grep inet | awk {'print $2'}` + +if [ ! $IP_ADDR_WITH_MASK ]; then + echo "get IP_ADDR_WITH_MASK error!" + exit 1 +fi + +#echo "IP_ADDR_WITH_MASK = $IP_ADDR_WITH_MASK" + +IP_ADDR=`ip addr show | grep $1 | grep inet | awk {'print $2'} | awk -F '/' {'print $1'}` +if [ ! $IP_ADDR ]; then + echo "get IP_ADDR error!" + exit 1 +fi + +#echo "IP_ADDR = $IP_ADDR" + +#set iptables +iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s $IP_ADDR -j DROP +iptables -I OUTPUT -p icmp --icmp-type redirect -s $IP_ADDR -j DROP +iptables -I FORWARD -s $IP_ADDR_WITH_MASK -j DROP + +exit 0 + + diff --git a/roles/natgw/tasks/main.yml b/roles/natgw/tasks/main.yml index 8fbb09a..d12431e 100644 --- a/roles/natgw/tasks/main.yml +++ b/roles/natgw/tasks/main.yml @@ -3,6 +3,7 @@ copy: src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.natgw_rpm_file }}" dest: "/tmp/" + - name: "install natgw" yum: @@ -21,7 +22,13 @@ file: path: /opt/tsg/wannat/natgw/conf state: directory - + +- name: "copy natgw_set_iptables_rule.sh to destination server" + copy: + src: "{{ role_path }}/files/script/natgw_set_iptables_rule.sh" + dest: "/opt/tsg/wannat/natgw/" + mode: a+x + - name: "Template the natgw.conf" template: src: "{{ role_path }}/templates/natgw.conf.j2" @@ -33,7 +40,7 @@ src: "{{ role_path }}/templates/natgw_log.conf.j2" dest: /opt/tsg/wannat/natgw/conf/natgw_log.conf tags: template - + - name: "Template the maat compile table info" template: src: "{{ role_path }}/templates/compile_tableinfo.conf.j2" @@ -60,4 +67,4 @@ state: started - \ No newline at end of file + diff --git a/roles/natgw/templates/natgw.service.j2 b/roles/natgw/templates/natgw.service.j2 index 0217bd8..b131a11 100644 --- a/roles/natgw/templates/natgw.service.j2 +++ b/roles/natgw/templates/natgw.service.j2 @@ -21,9 +21,7 @@ ExecStartPost=/bin/sh -c "ethtool -K {{wannat_global.natgw.device}} tso off" ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001" ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001" -ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" -ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type redirect -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" -ExecStartPost=/bin/sh -c "iptables -I FORWARD ! -d {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" +ExecStartPost=/bin/sh -c "/opt/tsg/wannat/natgw/natgw_set_iptables_rule.sh {{wannat_global.natgw.ctrl_device_name}}" TimeoutSec=300s RestartSec=10s