100 lines
2.2 KiB
YAML
100 lines
2.2 KiB
YAML
---
|
|
- name: Install required packages
|
|
apt:
|
|
name: socat
|
|
state: present
|
|
|
|
- name: Ensure unprivileged ssh user exists
|
|
user:
|
|
name: "{{ ssh_tunnel_sshd_unprivileged_user }}"
|
|
system: true
|
|
state: present
|
|
|
|
- name: Set authorized_keys for unprivileged user
|
|
template:
|
|
src: remote/authorized_keys.j2
|
|
dest: "{{ ssh_tunnel_remote_sshdir }}authorized_keys"
|
|
owner: "{{ ssh_tunnel_sshd_unprivileged_user }}"
|
|
mode: 0600
|
|
|
|
- name: Set sshd_config
|
|
become: yes
|
|
template:
|
|
src: remote/sshd_config.j2
|
|
dest: "{{ ssh_tunnel_sshd_conf_dir }}tunnel.conf"
|
|
mode: 0644
|
|
owner: root
|
|
|
|
- name: Enable IPv4 forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: '1'
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
|
|
- name: Enable IPv6 forwarding
|
|
sysctl:
|
|
name: net.ipv6.conf.all.forwarding
|
|
value: '1'
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
|
|
- name: Enable IPv4 local network forwarding
|
|
sysctl:
|
|
name: net.ipv4.conf.all.route_localnet
|
|
value: '1'
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
|
|
- name: Install iptables-persistent
|
|
apt:
|
|
name: iptables-persistent
|
|
update_cache: yes
|
|
state: present
|
|
|
|
- name: Flush existing iptables entries (IPv4)
|
|
become: yes
|
|
iptables:
|
|
ip_version: ipv4
|
|
table: nat
|
|
flush: yes
|
|
|
|
- name: Flush existing iptables entries (IPv6)
|
|
become: yes
|
|
iptables:
|
|
ip_version: ipv6
|
|
table: nat
|
|
flush: yes
|
|
|
|
- name: Forward privileged ports to ephemeral localhost ports (IPv4, TCP)
|
|
become: yes
|
|
iptables:
|
|
ip_version: ipv4
|
|
table: nat
|
|
chain: PREROUTING
|
|
in_interface: eth0
|
|
protocol: tcp
|
|
destination_port: "{{ item.exposed_port }}"
|
|
jump: DNAT
|
|
to_destination: "127.0.0.1:{{ item.ephemeral_port }}"
|
|
loop: "{{ tunneled_ports }}"
|
|
when: "'tcp' in item.protocols"
|
|
notify: persist iptables
|
|
|
|
- name: Forward privileged ports to ephemeral localhost ports (IPv6, TCP)
|
|
become: yes
|
|
iptables:
|
|
ip_version: ipv6
|
|
table: nat
|
|
chain: PREROUTING
|
|
in_interface: eth0
|
|
protocol: tcp
|
|
destination_port: "{{ item.exposed_port }}"
|
|
jump: DNAT
|
|
to_destination: "[::1]:{{ item.ephemeral_port }}"
|
|
loop: "{{ tunneled_ports }}"
|
|
when: "'tcp' in item.protocols"
|
|
notify: persist iptables
|