From 68e0eb74cc2991de144d328112088c5a25ef0310 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 22 Dec 2024 17:23:24 -0500 Subject: [PATCH] Outgoing IP (#125) * who needs cgnat * updates * deploy * outgoing ip * fix * fix * firewall * firewall * firewall * cleanup * optimize + deploy * order * outgoing ips * gather * cleanup --- infra/ansible/ansible.cfg | 7 +++++++ infra/ansible/dns_server.yaml | 8 +++++--- infra/ansible/roles/dns-frr/tasks/main.yaml | 7 +++++++ infra/ansible/roles/dns-frr/templates/frr.conf.j2 | 2 ++ infra/ansible/roles/dns-frr/templates/iptables.j2 | 9 +++++++++ .../roles/dns-frr/templates/netplan_dummy2.yaml.j2 | 2 +- .../roles/dns-frr/templates/netplan_dummy3.yaml.j2 | 9 +++++++++ infra/ansible/roles/knot-recursive/tasks/main.yaml | 2 +- .../ansible/roles/knot-recursive/templates/kresd.conf.j2 | 5 +++++ infra/terraform/dev_jon.tfvars | 3 +++ infra/terraform/dns.tf | 1 + infra/terraform/mesh_dns_servers/ansible.tf | 2 ++ infra/terraform/mesh_dns_servers/vars.tf | 5 +++++ infra/terraform/prod_sn10.tfvars | 4 ++++ infra/terraform/prod_sn3.tfvars | 4 ++++ infra/terraform/vars.tf | 5 +++++ 16 files changed, 70 insertions(+), 5 deletions(-) create mode 100644 infra/ansible/ansible.cfg create mode 100644 infra/ansible/roles/dns-frr/templates/netplan_dummy3.yaml.j2 diff --git a/infra/ansible/ansible.cfg b/infra/ansible/ansible.cfg new file mode 100644 index 0000000..7371cb2 --- /dev/null +++ b/infra/ansible/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +host_key_checking = False +callbacks_enabled = timer, profile_tasks, profile_roles +pipelining = True + +[ssh_connection] +ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -o ControlMaster=auto -o ControlPersist=60s' diff --git a/infra/ansible/dns_server.yaml b/infra/ansible/dns_server.yaml index 751aa7c..8436c90 100644 --- a/infra/ansible/dns_server.yaml +++ b/infra/ansible/dns_server.yaml @@ -1,4 +1,5 @@ -- hosts: knot-authoritative +- name: Knot authoritative + hosts: knot-authoritative become: true roles: - role: dns-ssh @@ -7,11 +8,12 @@ - role: knot-authoritative - role: support-account -- hosts: knot-recursive +- name: Knot recursive + hosts: knot-recursive become: true roles: - role: dns-ssh + - role: knot-recursive - role: dns-frr - role: dns-telegraf - - role: knot-recursive - role: support-account diff --git a/infra/ansible/roles/dns-frr/tasks/main.yaml b/infra/ansible/roles/dns-frr/tasks/main.yaml index 0fae50a..a5a7b5d 100644 --- a/infra/ansible/roles/dns-frr/tasks/main.yaml +++ b/infra/ansible/roles/dns-frr/tasks/main.yaml @@ -26,6 +26,13 @@ dest: /etc/netplan/dummy2.yaml mode: "640" +- name: dummy3 interface + ansible.builtin.template: + src: ../templates/netplan_dummy3.yaml.j2 + dest: /etc/netplan/dummy3.yaml + mode: "640" + when: EXTERNAL_OUTGOING_IP != "" + - name: eth0 interface ansible.builtin.template: src: ../templates/netplan_50_cloud_init.yaml.j2 diff --git a/infra/ansible/roles/dns-frr/templates/frr.conf.j2 b/infra/ansible/roles/dns-frr/templates/frr.conf.j2 index 126f8c3..b32d076 100644 --- a/infra/ansible/roles/dns-frr/templates/frr.conf.j2 +++ b/infra/ansible/roles/dns-frr/templates/frr.conf.j2 @@ -16,5 +16,7 @@ router ospf network {{ INTERNAL_LISTEN_IP }}/32 area 0 {% if EXTERNAL_LISTEN_IP != "" %} network {{ EXTERNAL_LISTEN_IP }}/32 area 0 {% endif %} +{% if EXTERNAL_OUTGOING_IP != "" %} network {{ EXTERNAL_OUTGOING_IP }}/32 area 0 +{% endif %} exit ! \ No newline at end of file diff --git a/infra/ansible/roles/dns-frr/templates/iptables.j2 b/infra/ansible/roles/dns-frr/templates/iptables.j2 index 63efe52..b11f353 100644 --- a/infra/ansible/roles/dns-frr/templates/iptables.j2 +++ b/infra/ansible/roles/dns-frr/templates/iptables.j2 @@ -25,6 +25,15 @@ -A INPUT -d {{ EXTERNAL_LISTEN_IP }}/32 -j DROP {% endif %} +# Catch all +-A INPUT -p tcp --dport 5355 -j DROP +-A INPUT -p udp --dport 5355 -j DROP +-A INPUT -p tcp --dport 53 -j DROP +-A INPUT -p udp --dport 53 -j DROP +-A INPUT -p tcp --dport 443 -j DROP +-A INPUT -p tcp --dport 22 -j DROP +-A INPUT -p tcp --dport 25 -j DROP + -A FORWARD -s 10.70.90.53/32 -d {{ INTERNAL_MGT_IP }}/32 -j ACCEPT {% if INTERNAL_LISTEN_IP != "" %} diff --git a/infra/ansible/roles/dns-frr/templates/netplan_dummy2.yaml.j2 b/infra/ansible/roles/dns-frr/templates/netplan_dummy2.yaml.j2 index 8089ed8..cb71f8a 100644 --- a/infra/ansible/roles/dns-frr/templates/netplan_dummy2.yaml.j2 +++ b/infra/ansible/roles/dns-frr/templates/netplan_dummy2.yaml.j2 @@ -6,4 +6,4 @@ network: dhcp4: no dhcp6: no addresses: - - {{ ROUTER_IP }}/32 \ No newline at end of file + - {{ ROUTER_IP }}/32 diff --git a/infra/ansible/roles/dns-frr/templates/netplan_dummy3.yaml.j2 b/infra/ansible/roles/dns-frr/templates/netplan_dummy3.yaml.j2 new file mode 100644 index 0000000..be0521d --- /dev/null +++ b/infra/ansible/roles/dns-frr/templates/netplan_dummy3.yaml.j2 @@ -0,0 +1,9 @@ +network: + version: 2 + renderer: networkd + ethernets: + lo: + dhcp4: no + dhcp6: no + addresses: + - {{ EXTERNAL_OUTGOING_IP }}/32 diff --git a/infra/ansible/roles/knot-recursive/tasks/main.yaml b/infra/ansible/roles/knot-recursive/tasks/main.yaml index 8b79257..9692fce 100644 --- a/infra/ansible/roles/knot-recursive/tasks/main.yaml +++ b/infra/ansible/roles/knot-recursive/tasks/main.yaml @@ -45,7 +45,7 @@ group: knot-resolver mode: "640" -- name: Enable ospfd +- name: Enable restarts for kresd ansible.builtin.lineinfile: path: /lib/systemd/system/kresd@.service search_string: Restart= diff --git a/infra/ansible/roles/knot-recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot-recursive/templates/kresd.conf.j2 index fc45aa6..ad35231 100644 --- a/infra/ansible/roles/knot-recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot-recursive/templates/kresd.conf.j2 @@ -14,6 +14,11 @@ net.listen('{{ EXTERNAL_LISTEN_IP }}', 53, { kind = 'dns' }) net.listen('{{ EXTERNAL_LISTEN_IP }}', 443, { kind = 'doh2' }) {% endif %} +{% if EXTERNAL_OUTGOING_IP != "" %} +-- EXTERNAL_OUTGOING_IP +net.outgoing_v4('{{ EXTERNAL_OUTGOING_IP }}') +{% endif %} + -- Load useful modules modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints diff --git a/infra/terraform/dev_jon.tfvars b/infra/terraform/dev_jon.tfvars index e253121..c9c9c83 100644 --- a/infra/terraform/dev_jon.tfvars +++ b/infra/terraform/dev_jon.tfvars @@ -24,6 +24,9 @@ dns_auth_external_ip = [ dns_rec_external_ip = [ "", # Blank so it is not created ] +dns_rec_outgoing_ip = [ + "199.170.132.41", # Blank so it is not created +] dns_mgt_network_prefix = "10.70.90.0" dns_mgt_network_host_identifier = "24" dns_mgt_gateway = "10.70.90.1" diff --git a/infra/terraform/dns.tf b/infra/terraform/dns.tf index 321da50..443633f 100644 --- a/infra/terraform/dns.tf +++ b/infra/terraform/dns.tf @@ -15,6 +15,7 @@ module "some_mesh_dns_servers" { dns_rec_internal_ip = var.dns_rec_internal_ip dns_auth_external_ip = var.dns_auth_external_ip dns_rec_external_ip = var.dns_rec_external_ip + dns_rec_outgoing_ip = var.dns_rec_outgoing_ip dns_mgt_network_prefix = var.dns_mgt_network_prefix dns_mgt_network_host_identifier = var.dns_mgt_network_host_identifier dns_mgt_gateway = var.dns_mgt_gateway diff --git a/infra/terraform/mesh_dns_servers/ansible.tf b/infra/terraform/mesh_dns_servers/ansible.tf index ab77a5e..9f31764 100644 --- a/infra/terraform/mesh_dns_servers/ansible.tf +++ b/infra/terraform/mesh_dns_servers/ansible.tf @@ -35,6 +35,7 @@ resource "ansible_host" "rec-dns-mgt" { SERVER_HOSTNAME = "${var.hostname_prefix}-dns-rec-${sum([1, count.index, var.hostname_count_offset])}" ROUTER_IP = var.dns_rec_router_ip[count.index] EXTERNAL_LISTEN_IP = var.dns_rec_external_ip[count.index] + EXTERNAL_OUTGOING_IP = var.dns_rec_outgoing_ip[count.index] INTERNAL_NETWORK_RANGE = format("%s/%s", var.dns_mgt_network_prefix, var.dns_mgt_network_host_identifier) INTERNAL_NETWORK_HOST_IDENTIFIER = var.dns_mgt_network_host_identifier INTERNAL_LISTEN_IP = var.dns_rec_internal_ip[count.index] @@ -56,6 +57,7 @@ resource "ansible_host" "auth-dns-mgt" { SERVER_HOSTNAME = "${var.hostname_prefix}-dns-auth-${sum([1, count.index, var.hostname_count_offset])}" ROUTER_IP = var.dns_auth_router_ip[count.index] EXTERNAL_LISTEN_IP = var.dns_auth_external_ip[count.index] + EXTERNAL_OUTGOING_IP = "" INTERNAL_NETWORK_RANGE = format("%s/%s", var.dns_mgt_network_prefix, var.dns_mgt_network_host_identifier) INTERNAL_NETWORK_HOST_IDENTIFIER = var.dns_mgt_network_host_identifier INTERNAL_LISTEN_IP = var.dns_auth_internal_ip[count.index] diff --git a/infra/terraform/mesh_dns_servers/vars.tf b/infra/terraform/mesh_dns_servers/vars.tf index cbb8873..3d1f50d 100644 --- a/infra/terraform/mesh_dns_servers/vars.tf +++ b/infra/terraform/mesh_dns_servers/vars.tf @@ -68,6 +68,11 @@ variable "dns_rec_external_ip" { description = "external listen IPs for the recursive dns vm(s), empty string for none" } +variable "dns_rec_outgoing_ip" { + type = list(any) + description = "external IPs used to resolve recursive dns queries, empty string for none" +} + variable "dns_mgt_network_prefix" { type = string description = "network range to use for intneral networking" diff --git a/infra/terraform/prod_sn10.tfvars b/infra/terraform/prod_sn10.tfvars index 719aa8a..420478f 100644 --- a/infra/terraform/prod_sn10.tfvars +++ b/infra/terraform/prod_sn10.tfvars @@ -33,6 +33,10 @@ dns_rec_external_ip = [ "", # Blank so it is not created "", # Blank so it is not created ] +dns_rec_outgoing_ip = [ + "23.158.16.25", + "23.158.16.26", +] dns_mgt_network_prefix = "10.70.100.0" dns_mgt_network_host_identifier = "24" dns_mgt_gateway = "10.70.100.1" diff --git a/infra/terraform/prod_sn3.tfvars b/infra/terraform/prod_sn3.tfvars index 98dba3b..c744a1c 100644 --- a/infra/terraform/prod_sn3.tfvars +++ b/infra/terraform/prod_sn3.tfvars @@ -33,6 +33,10 @@ dns_rec_external_ip = [ "", # Blank so it is not created "", # Blank so it is not created ] +dns_rec_outgoing_ip = [ + "199.170.132.109", + "199.170.132.110", +] dns_mgt_network_prefix = "10.70.90.0" dns_mgt_network_host_identifier = "24" dns_mgt_gateway = "10.70.90.1" diff --git a/infra/terraform/vars.tf b/infra/terraform/vars.tf index 27eeb3e..3586430 100644 --- a/infra/terraform/vars.tf +++ b/infra/terraform/vars.tf @@ -89,6 +89,11 @@ variable "dns_rec_external_ip" { description = "external listen IPs for the recursive dns vm(s), empty string for none" } +variable "dns_rec_outgoing_ip" { + type = list(any) + description = "external IPs used to resolve recursive dns queries, empty string for none" +} + variable "dns_mgt_network_prefix" { type = string description = "network range to use for intneral networking"