devops-shit/ansible-iptables-passthru/main.yml

# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/iptables_module.html
#

- hosts: myself

  tasks:
    - name: Pass http+https to 10.0.3.194 (PRE)
      iptables:
        chain: PREROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        jump: DNAT
        in_interface: ens3
        to_destination: 10.0.3.194:{{ item }}
      with_items: ['80', '443']

    - name: Pass http+https to 10.0.3.194 (POST)
      iptables:
        chain: POSTROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        destination: 10.0.3.194
        jump: SNAT
        out_interface: lxcbr0
        to_source: 10.0.3.1
      with_items: ['80', '443']

    - name: Pass mail (25,143,465,993,587) to 10.0.3.141 (PRE)
      iptables:
        chain: PREROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        jump: DNAT
        in_interface: ens3
        to_destination: 10.0.3.141:{{ item }}
      with_items: [ '25', '143', '465', '993', '587' ]

    - name: Pass mail (25,143,465,993,587) to 10.0.3.141 (POST)
      iptables:
        chain: POSTROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        destination: 10.0.3.141
        jump: SNAT
        out_interface: lxcbr0
        to_source: 10.0.3.1
      with_items: [ '25', '143', '465', '993', '587' ]

    - name: Pass dns+ovpn (53,1194) to 10.0.3.59 (PRE)
      iptables:
        chain: PREROUTING
        table: nat
        protocol: udp
        destination_port: '{{ item }}'
        jump: DNAT
        in_interface: ens3
        to_destination: 10.0.3.59:{{ item }}
      with_items: [ '53', '1194' ]

    - name: Pass dns+ovpn (53,1194) to 10.0.3.59 (POST)
      iptables:
        chain: POSTROUTING
        table: nat
        protocol: udp
        destination_port: '{{ item }}'
        destination: 10.0.3.59
        jump: SNAT
        out_interface: lxcbr0
        to_source: 10.0.3.1
      with_items: [ '53', '1194' ]

    # - name: mount certs on mail container
    #   mount: 
    #     path: /mnt/lxc/mail/etc/letsencrypt/
    #     src: /mnt/lxc/web/etc/letsencrypt/
    #     opts: ro, bind
    #     state: mounted
    #     fstype: none

    # - name: mount BKPDisk on web container
    #   mount: 
    #     path: /media/bkp/
    #     src: /mnt/lxc/web/BKPDisk/
    #     opts: ro, bind
    #     state: mounted
    #     fstype: none


    # - name: mount certs on mail container
    #   shell: mount --bind -o ro /mnt/lxc/web/etc/letsencrypt/ /mnt/lxc/mail/etc/letsencrypt/

    # - name: mount BKPDisk on web container
    #   shell: mount --bind /media/bkp/ /mnt/lxc/web/BKPDisk/


# iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $2 -j DNAT --to-destination $1:$2
# iptables -t nat -A POSTROUTING -o $BR_IF -p tcp --dport $2 -d $1 -j SNAT --to-source $BR_IP
init 2021-09-24 12:51:19 +03:00			`# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/iptables_module.html`
			`#`

			`- hosts: myself`

			`tasks:`
			`- name: Pass http+https to 10.0.3.194 (PRE)`
			`iptables:`
			`chain: PREROUTING`
			`table: nat`
			`protocol: tcp`
			`destination_port: '{{ item }}'`
			`jump: DNAT`
			`in_interface: ens3`
			`to_destination: 10.0.3.194:{{ item }}`
			`with_items: ['80', '443']`

			`- name: Pass http+https to 10.0.3.194 (POST)`
			`iptables:`
			`chain: POSTROUTING`
			`table: nat`
			`protocol: tcp`
			`destination_port: '{{ item }}'`
			`destination: 10.0.3.194`
			`jump: SNAT`
			`out_interface: lxcbr0`
			`to_source: 10.0.3.1`
			`with_items: ['80', '443']`

			`- name: Pass mail (25,143,465,993,587) to 10.0.3.141 (PRE)`
			`iptables:`
			`chain: PREROUTING`
			`table: nat`
			`protocol: tcp`
			`destination_port: '{{ item }}'`
			`jump: DNAT`
			`in_interface: ens3`
			`to_destination: 10.0.3.141:{{ item }}`
			`with_items: [ '25', '143', '465', '993', '587' ]`

			`- name: Pass mail (25,143,465,993,587) to 10.0.3.141 (POST)`
			`iptables:`
			`chain: POSTROUTING`
			`table: nat`
			`protocol: tcp`
			`destination_port: '{{ item }}'`
			`destination: 10.0.3.141`
			`jump: SNAT`
			`out_interface: lxcbr0`
			`to_source: 10.0.3.1`
			`with_items: [ '25', '143', '465', '993', '587' ]`

			`- name: Pass dns+ovpn (53,1194) to 10.0.3.59 (PRE)`
			`iptables:`
			`chain: PREROUTING`
			`table: nat`
			`protocol: udp`
			`destination_port: '{{ item }}'`
			`jump: DNAT`
			`in_interface: ens3`
			`to_destination: 10.0.3.59:{{ item }}`
			`with_items: [ '53', '1194' ]`

			`- name: Pass dns+ovpn (53,1194) to 10.0.3.59 (POST)`
			`iptables:`
			`chain: POSTROUTING`
			`table: nat`
			`protocol: udp`
			`destination_port: '{{ item }}'`
			`destination: 10.0.3.59`
			`jump: SNAT`
			`out_interface: lxcbr0`
			`to_source: 10.0.3.1`
			`with_items: [ '53', '1194' ]`

			`# - name: mount certs on mail container`
			`# mount:`
			`# path: /mnt/lxc/mail/etc/letsencrypt/`
			`# src: /mnt/lxc/web/etc/letsencrypt/`
			`# opts: ro, bind`
			`# state: mounted`
			`# fstype: none`

			`# - name: mount BKPDisk on web container`
			`# mount:`
			`# path: /media/bkp/`
			`# src: /mnt/lxc/web/BKPDisk/`
			`# opts: ro, bind`
			`# state: mounted`
			`# fstype: none`


			`# - name: mount certs on mail container`
			`# shell: mount --bind -o ro /mnt/lxc/web/etc/letsencrypt/ /mnt/lxc/mail/etc/letsencrypt/`

			`# - name: mount BKPDisk on web container`
			`# shell: mount --bind /media/bkp/ /mnt/lxc/web/BKPDisk/`



			`# iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $2 -j DNAT --to-destination $1:$2`
			`# iptables -t nat -A POSTROUTING -o $BR_IF -p tcp --dport $2 -d $1 -j SNAT --to-source $BR_IP`