Outgoing IP (#125)

* who needs cgnat

* updates

* deploy

* outgoing ip

* fix

* fix

* firewall

* firewall

* firewall

* cleanup

* optimize + deploy

* order

* outgoing ips

* gather

* cleanup

infra/ansible/ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+host_key_checking = False
+callbacks_enabled = timer, profile_tasks, profile_roles
+pipelining = True
+
+[ssh_connection]
+ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -o ControlMaster=auto -o ControlPersist=60s'

infra/ansible/dns_server.yaml

@@ -1,4 +1,5 @@
-- hosts: knot-authoritative
+- name: Knot authoritative
+  hosts: knot-authoritative
   become: true
   roles:
     - role: dns-ssh
@@ -7,11 +8,12 @@
     - role: knot-authoritative
     - role: support-account
 
-- hosts: knot-recursive
+- name: Knot recursive
+  hosts: knot-recursive
   become: true
   roles:
     - role: dns-ssh
+    - role: knot-recursive
     - role: dns-frr
     - role: dns-telegraf
-    - role: knot-recursive
     - role: support-account

infra/ansible/roles/dns-frr/tasks/main.yaml

@@ -26,6 +26,13 @@
     dest: /etc/netplan/dummy2.yaml
     mode: "640"
 
+- name: dummy3 interface
+  ansible.builtin.template:
+    src: ../templates/netplan_dummy3.yaml.j2
+    dest: /etc/netplan/dummy3.yaml
+    mode: "640"
+  when: EXTERNAL_OUTGOING_IP != ""
+
 - name: eth0 interface
   ansible.builtin.template:
     src: ../templates/netplan_50_cloud_init.yaml.j2

infra/ansible/roles/dns-frr/templates/frr.conf.j2

@@ -16,5 +16,7 @@ router ospf
  network {{ INTERNAL_LISTEN_IP }}/32 area 0
 {% if EXTERNAL_LISTEN_IP != "" %} network {{ EXTERNAL_LISTEN_IP }}/32 area 0
 {% endif %}
+{% if EXTERNAL_OUTGOING_IP != "" %} network {{ EXTERNAL_OUTGOING_IP }}/32 area 0
+{% endif %}
 exit
 !

infra/ansible/roles/dns-frr/templates/iptables.j2

@@ -25,6 +25,15 @@
 -A INPUT -d {{ EXTERNAL_LISTEN_IP }}/32 -j DROP
 {% endif %}
 
+# Catch all
+-A INPUT -p tcp --dport 5355 -j DROP
+-A INPUT -p udp --dport 5355 -j DROP
+-A INPUT -p tcp --dport 53   -j DROP
+-A INPUT -p udp --dport 53   -j DROP
+-A INPUT -p tcp --dport 443  -j DROP
+-A INPUT -p tcp --dport 22   -j DROP
+-A INPUT -p tcp --dport 25   -j DROP
+
 -A FORWARD -s 10.70.90.53/32 -d {{ INTERNAL_MGT_IP }}/32 -j ACCEPT
 
 {% if INTERNAL_LISTEN_IP != "" %}

infra/ansible/roles/dns-frr/templates/netplan_dummy2.yaml.j2

@@ -6,4 +6,4 @@ network:
       dhcp4: no
       dhcp6: no
       addresses:
-        - {{ ROUTER_IP }}/32
+        - {{ ROUTER_IP }}/32

infra/ansible/roles/dns-frr/templates/netplan_dummy3.yaml.j2

@@ -0,0 +1,9 @@
+network:
+  version: 2
+  renderer: networkd
+  ethernets:
+    lo:
+      dhcp4: no
+      dhcp6: no
+      addresses:
+        - {{ EXTERNAL_OUTGOING_IP }}/32

infra/ansible/roles/knot-recursive/tasks/main.yaml

@@ -45,7 +45,7 @@
     group: knot-resolver
     mode: "640"
 
-- name: Enable ospfd
+- name: Enable restarts for kresd
   ansible.builtin.lineinfile:
     path: /lib/systemd/system/[email protected]
     search_string: Restart=

infra/ansible/roles/knot-recursive/templates/kresd.conf.j2

@@ -14,6 +14,11 @@ net.listen('{{ EXTERNAL_LISTEN_IP }}', 53, { kind = 'dns' })
 net.listen('{{ EXTERNAL_LISTEN_IP }}', 443, { kind = 'doh2' })
 {% endif %}
 
+{% if EXTERNAL_OUTGOING_IP != "" %}
+-- EXTERNAL_OUTGOING_IP
+net.outgoing_v4('{{ EXTERNAL_OUTGOING_IP }}')
+{% endif %}
+
 -- Load useful modules
 modules = {
         'hints > iterate',  -- Allow loading /etc/hosts or custom root hints

infra/terraform/dev_jon.tfvars

@@ -24,6 +24,9 @@ dns_auth_external_ip = [
 dns_rec_external_ip = [
   "", # Blank so it is not created
 ]
+dns_rec_outgoing_ip = [
+  "199.170.132.41", # Blank so it is not created
+]
 dns_mgt_network_prefix          = "10.70.90.0"
 dns_mgt_network_host_identifier = "24"
 dns_mgt_gateway                 = "10.70.90.1"

infra/terraform/dns.tf

@@ -15,6 +15,7 @@ module "some_mesh_dns_servers" {
   dns_rec_internal_ip             = var.dns_rec_internal_ip
   dns_auth_external_ip            = var.dns_auth_external_ip
   dns_rec_external_ip             = var.dns_rec_external_ip
+  dns_rec_outgoing_ip             = var.dns_rec_outgoing_ip
   dns_mgt_network_prefix          = var.dns_mgt_network_prefix
   dns_mgt_network_host_identifier = var.dns_mgt_network_host_identifier
   dns_mgt_gateway                 = var.dns_mgt_gateway

infra/terraform/mesh_dns_servers/ansible.tf

@@ -35,6 +35,7 @@ resource "ansible_host" "rec-dns-mgt" {
     SERVER_HOSTNAME                  = "${var.hostname_prefix}-dns-rec-${sum([1, count.index, var.hostname_count_offset])}"
     ROUTER_IP                        = var.dns_rec_router_ip[count.index]
     EXTERNAL_LISTEN_IP               = var.dns_rec_external_ip[count.index]
+    EXTERNAL_OUTGOING_IP             = var.dns_rec_outgoing_ip[count.index]
     INTERNAL_NETWORK_RANGE           = format("%s/%s", var.dns_mgt_network_prefix, var.dns_mgt_network_host_identifier)
     INTERNAL_NETWORK_HOST_IDENTIFIER = var.dns_mgt_network_host_identifier
     INTERNAL_LISTEN_IP               = var.dns_rec_internal_ip[count.index]
@@ -56,6 +57,7 @@ resource "ansible_host" "auth-dns-mgt" {
     SERVER_HOSTNAME                  = "${var.hostname_prefix}-dns-auth-${sum([1, count.index, var.hostname_count_offset])}"
     ROUTER_IP                        = var.dns_auth_router_ip[count.index]
     EXTERNAL_LISTEN_IP               = var.dns_auth_external_ip[count.index]
+    EXTERNAL_OUTGOING_IP             = ""
     INTERNAL_NETWORK_RANGE           = format("%s/%s", var.dns_mgt_network_prefix, var.dns_mgt_network_host_identifier)
     INTERNAL_NETWORK_HOST_IDENTIFIER = var.dns_mgt_network_host_identifier
     INTERNAL_LISTEN_IP               = var.dns_auth_internal_ip[count.index]

infra/terraform/mesh_dns_servers/vars.tf

@@ -68,6 +68,11 @@ variable "dns_rec_external_ip" {
   description = "external listen IPs for the recursive dns vm(s), empty string for none"
 }
 
+variable "dns_rec_outgoing_ip" {
+  type        = list(any)
+  description = "external IPs used to resolve recursive dns queries, empty string for none"
+}
+
 variable "dns_mgt_network_prefix" {
   type        = string
   description = "network range to use for intneral networking"

infra/terraform/prod_sn10.tfvars

@@ -33,6 +33,10 @@ dns_rec_external_ip = [
   "", # Blank so it is not created
   "", # Blank so it is not created
 ]
+dns_rec_outgoing_ip = [
+  "23.158.16.25",
+  "23.158.16.26",
+]
 dns_mgt_network_prefix          = "10.70.100.0"
 dns_mgt_network_host_identifier = "24"
 dns_mgt_gateway                 = "10.70.100.1"

infra/terraform/prod_sn3.tfvars

@@ -33,6 +33,10 @@ dns_rec_external_ip = [
   "", # Blank so it is not created
   "", # Blank so it is not created
 ]
+dns_rec_outgoing_ip = [
+  "199.170.132.109",
+  "199.170.132.110",
+]
 dns_mgt_network_prefix          = "10.70.90.0"
 dns_mgt_network_host_identifier = "24"
 dns_mgt_gateway                 = "10.70.90.1"

infra/terraform/vars.tf

@@ -89,6 +89,11 @@ variable "dns_rec_external_ip" {
   description = "external listen IPs for the recursive dns vm(s), empty string for none"
 }
 
+variable "dns_rec_outgoing_ip" {
+  type        = list(any)
+  description = "external IPs used to resolve recursive dns queries, empty string for none"
+}
+
 variable "dns_mgt_network_prefix" {
   type        = string
   description = "network range to use for intneral networking"