ansible/ssh_tunnel
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Added LocalForward

Browse source
This commit is contained in:
Philip (a-0) 2023-01-09 13:32:32 +01:00
parent 56581dd690
commit c91f34e0b4
3 changed files with 15 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
README.md
View file

@ -4,12 +4,19 @@ An ansible role to set up an ssh tunnel and port forwardings from the remote mac
... e.g. in `group_vars` ... e.g. in `group_vars`
- `ssh_tunnel_pubkey`: The complete line to be used in `authorized_keys`, e.g. "ssh-ed25519 AAAA[...]aU root@mylocalmachine" - `ssh_tunnel_pubkey`: The complete line to be used in `authorized_keys`, e.g. "ssh-ed25519 AAAA[...]aU root@mylocalmachine"
- `ssh_tunnel_privkey`: The content of the corresponding private key file, including the BEGIN and END tags. It is highly recommended to put this inside an encrypted ansible vault. - `ssh_tunnel_privkey`: The content of the corresponding private key file, including the BEGIN and END tags. It is highly recommended to put this inside an encrypted ansible vault.
- `tunneled_ports`: A list of port forwardings. Example: - `remote_forward`: The list of port forwardings *from* the remote server *to* some local machine. Example:
``` ```
tunneled_ports: remote_forward:
- exposed_port: 80 # public port at the remote machine - exposed_port: 80 # public port at the remote machine
ephemeral_port: 10080 # internal port at remote machine's localhost address. The ssh tunnel will fetch traffic from there ephemeral_port: 10080 # internal port at remote machine's localhost address. The ssh tunnel will fetch traffic from there
dest_host: my-internal-http-server.local.domain.tld # domain or IP address of the destination machine. Must be reachable form the local machine. dest_host: my-internal-http-server.local.domain.tld # domain or IP address of the destination machine. Must be reachable form the local machine.
dest_port: 80 # open port at the destination machine dest_port: 80 # open port at the destination machine
protocols: ["tcp"] # list of protocols for this forwarding. "tcp" and "udp" are supported. protocols: ["tcp"] # list of protocols for this forwarding. "tcp" and "udp" are supported.
``` ```
- `local_forward`: The list of port forwardings *from* the local machine *to* the remote machine. Example:
```
local_forward:
- local_port: 1234 # port bound on local machine, IP is automatically queried as A-record of inventory_hostname
remote_host: the-remote-server.domain.tld # remote server to forward to
remote_port: the remote machine's port to forward the traffic to
```

4
tasks/remote.yml
View file

@ -80,7 +80,7 @@
destination_port: "{{ item.exposed_port }}" destination_port: "{{ item.exposed_port }}"
jump: DNAT jump: DNAT
to_destination: "127.0.0.1:{{ item.ephemeral_port }}" to_destination: "127.0.0.1:{{ item.ephemeral_port }}"
loop: "{{ tunneled_ports }}" loop: "{{ remote_forward }}"
when: "'tcp' in item.protocols" when: "'tcp' in item.protocols"
notify: persist iptables notify: persist iptables
@ -95,6 +95,6 @@
destination_port: "{{ item.exposed_port }}" destination_port: "{{ item.exposed_port }}"
jump: DNAT jump: DNAT
to_destination: "[::1]:{{ item.ephemeral_port }}" to_destination: "[::1]:{{ item.ephemeral_port }}"
loop: "{{ tunneled_ports }}" loop: "{{ remote_forward }}"
when: "'tcp' in item.protocols" when: "'tcp' in item.protocols"
notify: persist iptables notify: persist iptables

5
templates/local/ssh_config.j2
View file

@ -7,6 +7,9 @@ Host gateway
ExitOnForwardFailure yes ExitOnForwardFailure yes
ServerAliveInterval 5 ServerAliveInterval 5
ServerAliveCountMax 3 ServerAliveCountMax 3
{% for forwarding in tunneled_ports %} {% for forwarding in remote_forward %}
RemoteForward localhost:{{ forwarding.ephemeral_port }} {{ forwarding.dest_host }}:{{ forwarding.dest_port }} RemoteForward localhost:{{ forwarding.ephemeral_port }} {{ forwarding.dest_host }}:{{ forwarding.dest_port }}
{% endfor %} {% endfor %}
{% for forwarding in local_forward %}
LocalForward {{ query('community.general.dig', inventory_hostname, 'qtype=A') | first }}:{{ forwarding.local_port }} {{ forwarding.remote_host }}:{{ forwarding.remote_port }}
{% endfor %}