From ba50abce8a786fa6550517ef22d1c17fe963ad2a Mon Sep 17 00:00:00 2001 From: Evgeniy Ivanov Date: Sun, 21 Aug 2016 13:29:53 +0300 Subject: [PATCH] make local ip changeable #67 --- config.cfg | 3 +++ roles/common/templates/10-loopback-services.cfg.j2 | 2 +- roles/dns_adblocking/templates/dnsmasq.conf.j2 | 2 +- roles/proxy/templates/ports.conf.j2 | 6 +++--- roles/proxy/templates/privoxy_config.j2 | 4 ++-- roles/security/templates/rules.v4.j2 | 7 ++----- roles/security/templates/rules.v6.j2 | 3 --- roles/vpn/handlers/main.yml | 2 +- roles/vpn/templates/ipsec.conf.j2 | 8 ++++---- 9 files changed, 17 insertions(+), 20 deletions(-) diff --git a/config.cfg b/config.cfg index f2374d1..0252cc1 100644 --- a/config.cfg +++ b/config.cfg @@ -22,6 +22,9 @@ dns_servers: - 8.8.4.4 - 2001:4860:4860::8888 - 2001:4860:4860::8844 + +# IP address for proxy and local dns resolver +local_service_ip: 172.16.0.1 users: - mr.smith diff --git a/roles/common/templates/10-loopback-services.cfg.j2 b/roles/common/templates/10-loopback-services.cfg.j2 index c5c47e4..09f572d 100644 --- a/roles/common/templates/10-loopback-services.cfg.j2 +++ b/roles/common/templates/10-loopback-services.cfg.j2 @@ -1,6 +1,6 @@ auto lo:100 iface lo:100 inet static - address 172.16.0.1 + address {{ local_service_ip }} netmask 255.255.255.255 iface lo:100 inet6 static diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index 316f11a..69c317e 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -110,7 +110,7 @@ group=nogroup #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) -listen-address=172.16.0.1,127.0.0.1,FCAA::1 +listen-address=127.0.0.1,FCAA::1,{{ local_service_ip }} # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. diff --git a/roles/proxy/templates/ports.conf.j2 b/roles/proxy/templates/ports.conf.j2 index 2618436..eb6be22 100644 --- a/roles/proxy/templates/ports.conf.j2 +++ b/roles/proxy/templates/ports.conf.j2 @@ -2,12 +2,12 @@ # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf -Listen 172.16.0.1:8080 +Listen {{ local_service_ip }}:8080 - Listen 172.16.0.1:443 + Listen {{ local_service_ip }}:443 - Listen 172.16.0.1:443 + Listen {{ local_service_ip }}:443 diff --git a/roles/proxy/templates/privoxy_config.j2 b/roles/proxy/templates/privoxy_config.j2 index dd55f0f..485734c 100644 --- a/roles/proxy/templates/privoxy_config.j2 +++ b/roles/proxy/templates/privoxy_config.j2 @@ -781,7 +781,7 @@ logfile logfile # listen-address [::1]:8118 # # -listen-address 172.16.0.1:8118 +listen-address {{ local_service_ip }}:8118 # # 4.2. toggle # ============ @@ -1256,7 +1256,7 @@ enable-proxy-authentication-forwarding 0 # forward / parent-proxy.example.org:8000 # forward ipv6-server.example.org . # forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> . -forward / 172.16.0.1:8080 +forward / {{ local_service_ip }}:8080 forward :443 . # # diff --git a/roles/security/templates/rules.v4.j2 b/roles/security/templates/rules.v4.j2 index 46fbe85..c8dc1de 100644 --- a/roles/security/templates/rules.v4.j2 +++ b/roles/security/templates/rules.v4.j2 @@ -1,9 +1,6 @@ *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if dns_enabled is defined and dns_enabled == "Y" %} --A PREROUTING -s {{ vpn_network }} -p udp -m udp --dport 53 -j DNAT --to-destination 172.16.0.1:53 -{% endif %} -A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE COMMIT *filter @@ -22,8 +19,8 @@ COMMIT # The IP of the resolver should be bound to a DUMMY interface. # DUMMY interfaces are the proper way to install IPs without assigning them any # particular virtual (tun,tap,...) or physical (ethernet) interface. --A INPUT -d 172.16.0.1 -p udp --dport 53 -j ACCEPT --A INPUT -d 172.16.0.1 -p tcp -m multiport --dport 8080,8118 -j ACCEPT +-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT +-A INPUT -d {{ local_service_ip }} -p tcp -m multiport --dport 8080,8118 -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp --dport 445 -j DROP -A FORWARD -p udp -m multiport --ports 137,138 -j DROP diff --git a/roles/security/templates/rules.v6.j2 b/roles/security/templates/rules.v6.j2 index 14449cf..a0c38e8 100644 --- a/roles/security/templates/rules.v6.j2 +++ b/roles/security/templates/rules.v6.j2 @@ -1,9 +1,6 @@ *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if dns_enabled is defined and dns_enabled == "Y" %} --A PREROUTING -s {{ vpn_network_ipv6 }} -p udp -m udp --dport 53 -j DNAT --to-destination fcaa::1:53 -{% endif %} -A POSTROUTING -s {{ vpn_network_ipv6 }} -m policy --pol none --dir out -j MASQUERADE COMMIT *filter diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 94ccdfc..203e1ef 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -13,5 +13,5 @@ - "# Config files and certificates are in the ./configs/ directory. #" - "# Go to https://www.dnsleaktest.com/ after connecting #" - "# and ensure that all your traffic passes through the VPN. #" - - "# Local DNS resolver and Proxy IP address: 172.16.0.1 #" + - "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - "#----------------------------------------------------------------------#" diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index cd00596..e0bec01 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -23,10 +23,10 @@ conn %default right=%any rightauth=pubkey rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }} -{% if service_dns is defined and service_dns == "N" %} - rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} -{% else %} - rightdns=172.16.0.1 +{% if service_dns is defined and service_dns == "Y" %} + rightdns={{ local_service_ip }} +{% else %} + rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} {% endif %}