diff --git a/ansible/group_vars/nimbus.sepolia.yml b/ansible/group_vars/nimbus.sepolia.yml index e0b3612..28e69b4 100644 --- a/ansible/group_vars/nimbus.sepolia.yml +++ b/ansible/group_vars/nimbus.sepolia.yml @@ -116,7 +116,7 @@ bootstrap__firewall_nftables: true # Open Ports open_ports_list: nginx: - - { port: ['80','443'], comment: 'Nginx' } + - { port: 443, comment: 'Nginx' } smart-metrics: - { port: '{{ smart_metrics_listen_port }}', comment: 'SMART Metrics', ipset: 'metrics.hq', iifname: 'wg0' } geth-node: diff --git a/ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml b/ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml index 8266412..eb4292b 100644 --- a/ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml +++ b/ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml @@ -13,9 +13,10 @@ test_api_beacon_node_branch: |- # WARNING: This will change if number of nodes changes. redirect_ports: - - src: 80 + public-beacon-api: + src: 80 dst: '{{ test_api_beacon_node_rest_port }}' - comment: 'Public Beacon API ({{ test_api_beacon_node_branch }}-{{ test_api_beacon_node_rest_index }})' + comment: 'Public Beacon API ({{ test_api_beacon_node_branch }}-0{{ test_api_beacon_node_rest_index|int - 1 }})' # Era files hosting era_files_domain: 'sepolia.era.nimbus.team' diff --git a/ansible/roles/redirect-ports/defaults/main.yml b/ansible/roles/redirect-ports/defaults/main.yml index d468f22..c7b27c3 100644 --- a/ansible/roles/redirect-ports/defaults/main.yml +++ b/ansible/roles/redirect-ports/defaults/main.yml @@ -1,3 +1,4 @@ --- +redirect_interface: '{{ ansible_default_ipv4.interface }}' redirect_ports: [] # - { src: 80, dst: 8080 } diff --git a/ansible/roles/redirect-ports/handlers/main.yml b/ansible/roles/redirect-ports/handlers/main.yml index bd6da46..e7dd4a7 100644 --- a/ansible/roles/redirect-ports/handlers/main.yml +++ b/ansible/roles/redirect-ports/handlers/main.yml @@ -1,3 +1,5 @@ --- -- name: Save iptables rules - shell: iptables-save > /etc/iptables/rules.v4 +- name: Reload nftables + service: + name: 'nftables' + state: 'reloaded' diff --git a/ansible/roles/redirect-ports/tasks/main.yml b/ansible/roles/redirect-ports/tasks/main.yml index 1411e06..50f9ad3 100644 --- a/ansible/roles/redirect-ports/tasks/main.yml +++ b/ansible/roles/redirect-ports/tasks/main.yml @@ -1,28 +1,27 @@ --- -- name: 'Enable redirected {{ item.dst }} port' - iptables: - comment: '{{ item.comment | default("Open {{ item.dst }}") }}' - chain: 'SERVICES' - jump: 'ACCEPT' - source: '0.0.0.0/0' - protocol: '{{ item.protocol | default("tcp") }}' - destination_port: '{{ item.dst | string | mandatory }}' - with_items: '{{ redirect_ports }}' +- name: 'Redirect {{ rule.value.src }} to {{ rule.value.dst }}' + copy: + dest: '/etc/nft.conf.d/services/{{ rule.key }}.nft' + content: | + #!/usr/sbin/nft -f + # Managed with Ansible: redirect-ports + tcp dport { {{ rule.value.src | mandatory }}, {{ rule.value.dst | mandatory }} } accept comment "{{ rule.value.comment }}" + with_dict: '{{ redirect_ports | mandatory }}' + loop_control: + loop_var: 'rule' + label: '{{ rule.key }}' notify: - - Save iptables rules + - Reload nftables -- name: 'Redirect {{ item.src }} to {{ item.dst }}' - iptables: - comment: '{{ item.comment | default("Redirect {{ item.src }} to {{ item.dst }}") }}' - table: 'nat' - chain: 'PREROUTING' - jump: 'REDIRECT' - action: insert - protocol: '{{ item.protocol | default("tcp") }}' - match: '{{ item.protocol | default("tcp") }}' - destination_port: '{{ item.src | string | mandatory }}' - to_ports: '{{ item.dst | string | mandatory }}' - in_interface: '{{ ansible_default_ipv4.interface }}' - with_items: '{{ redirect_ports }}' +- name: 'Redirect {{ rule.value.src }} to {{ rule.value.dst }}' + copy: + dest: '/etc/nft.conf.d/prerouting/{{ rule.key }}.nft' + content: | + #!/usr/sbin/nft -f + iifname {{ redirect_interface }} tcp dport {{ rule.value.src | mandatory }} redirect to {{ rule.value.dst | mandatory }} comment "{{ rule.value.comment }}" + with_dict: '{{ redirect_ports | mandatory }}' + loop_control: + loop_var: 'rule' + label: '{{ rule.key }}' notify: - - Save iptables rules + - Reload nftables