gfwleak/tsg-wannat-ansible-deploy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-8393, NATGW iptables 转发策略设置不合理, 导致Layer2和VPN模式不能共用, 已修复.

Browse Source
This commit is contained in:
lijia
2021-11-09 13:15:55 +08:00
parent 703389e834
commit 9a758df05a
4 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deploy_env/group_vars/all.yml
View File

@@ -22,7 +22,7 @@ wannat_global:
location_compare_type: 0 location_compare_type: 0
country_location: "Set_your_geographic_location_here" country_location: "Set_your_geographic_location_here"
province_location: "Set_your_geographic_location_here" province_location: "Set_your_geographic_location_here"
ctrl_device_ip_addr: "172.26.121.58" ctrl_device_name: "eth0"
toroad: toroad:
http_server_listen_port: 8888 http_server_listen_port: 8888

33
roles/natgw/files/script/natgw_set_iptables_rule.sh Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/sh
if [ ! $1 ]; then
echo "must set device name!"
echo "Usage: $0 <devie_name>"
exit 1
fi
IP_ADDR_WITH_MASK=`ip addr show | grep $1 | grep inet | awk {'print $2'}`
if [ ! $IP_ADDR_WITH_MASK ]; then
echo "get IP_ADDR_WITH_MASK error!"
exit 1
fi
#echo "IP_ADDR_WITH_MASK = $IP_ADDR_WITH_MASK"
IP_ADDR=`ip addr show | grep $1 | grep inet | awk {'print $2'} | awk -F '/' {'print $1'}`
if [ ! $IP_ADDR ]; then
echo "get IP_ADDR error!"
exit 1
fi
#echo "IP_ADDR = $IP_ADDR"
#set iptables
iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s $IP_ADDR -j DROP
iptables -I OUTPUT -p icmp --icmp-type redirect -s $IP_ADDR -j DROP
iptables -I FORWARD -s $IP_ADDR_WITH_MASK -j DROP
exit 0

7
roles/natgw/tasks/main.yml
View File

@@ -4,6 +4,7 @@
src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.natgw_rpm_file }}" src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.natgw_rpm_file }}"
dest: "/tmp/" dest: "/tmp/"
- name: "install natgw" - name: "install natgw"
yum: yum:
name: "{{ packages }}" name: "{{ packages }}"
@@ -22,6 +23,12 @@
path: /opt/tsg/wannat/natgw/conf path: /opt/tsg/wannat/natgw/conf
state: directory state: directory
- name: "copy natgw_set_iptables_rule.sh to destination server"
copy:
src: "{{ role_path }}/files/script/natgw_set_iptables_rule.sh"
dest: "/opt/tsg/wannat/natgw/"
mode: a+x
- name: "Template the natgw.conf" - name: "Template the natgw.conf"
template: template:
src: "{{ role_path }}/templates/natgw.conf.j2" src: "{{ role_path }}/templates/natgw.conf.j2"

4
roles/natgw/templates/natgw.service.j2
View File

@@ -21,9 +21,7 @@ ExecStartPost=/bin/sh -c "ethtool -K {{wannat_global.natgw.device}} tso off"
ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001" ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001"
ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001" ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001"
ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP" ExecStartPost=/bin/sh -c "/opt/tsg/wannat/natgw/natgw_set_iptables_rule.sh {{wannat_global.natgw.ctrl_device_name}}"
ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type redirect -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
ExecStartPost=/bin/sh -c "iptables -I FORWARD ! -d {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
TimeoutSec=300s TimeoutSec=300s
RestartSec=10s RestartSec=10s