https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Ansible_KIT_Firewall-Konfiguration
Ansible KIT Firewall-Konfiguration - Versionsgeschichte
2026-04-17T00:09:19Z
Versionsgeschichte dieser Seite in Xinux Wiki
MediaWiki 1.35.1
https://wiki.ixheim.de/index.php?title=Ansible_KIT_Firewall-Konfiguration&diff=68453&oldid=prev
Thomas.will am 7. April 2026 um 13:20 Uhr
2026-04-07T13:20:23Z
<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 7. April 2026, 13:20 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l24" >Zeile 24:</td>
<td colspan="2" class="diff-lineno">Zeile 24:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Diese Werte werden in alle Konfigurationsdateien als Jinja2-Variablen eingesetzt, z.B. <code>172.26.{{ fw_xx }}.1</code>.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Diese Werte werden in alle Konfigurationsdateien als Jinja2-Variablen eingesetzt, z.B. <code>172.26.{{ fw_xx }}.1</code>.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">;Hinweis zur Domain:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Die Domain lautet <code>it212.int</code> – also <code>it{{ fw_xx }}.int</code> in den Templates (nicht <code>it2{{ fw_xx }}.int</code>).</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Projektstruktur ==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Projektstruktur ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l115" >Zeile 115:</td>
<td colspan="2" class="diff-lineno">Zeile 118:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Alle Konfigurationsdateien werden als Jinja2-Templates verwaltet. Ansible befüllt die Variablen beim Ausführen pro Host automatisch.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Alle Konfigurationsdateien werden als Jinja2-Templates verwaltet. Ansible befüllt die Variablen beim Ausführen pro Host automatisch.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Hostname ====</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Der Hostname wird direkt per Ansible-Modul gesetzt:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"><pre></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">fw.it{{ fw_xx }}.int</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></pre></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== /etc/hosts ====</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"><pre></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">127.0.0.1 localhost</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">127.0.1.1 fw.it{{ fw_xx }}.int fw</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">::1 localhost ip6-localhost ip6-loopback</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">ff02::1 ip6-allnodes</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">ff02::2 ip6-allrouters</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></pre></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== /etc/resolv.conf ====</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"><pre></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">search it{{ fw_xx }}.int</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">nameserver 192.168.{{ fw_y }}.88</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></pre></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== /etc/network/interfaces ====</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== /etc/network/interfaces ====</div></td></tr>
<!-- diff cache key my_wiki:diff::1.12:old-68447:rev-68453 -->
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Ansible_KIT_Firewall-Konfiguration&diff=68447&oldid=prev
Thomas.will: Die Seite wurde neu angelegt: „= Firewall-Konfiguration mit Ansible = Dieser Artikel zeigt wie man mehrere Firewall-VMs automatisiert mit Ansible konfiguriert. Wir ve…“
2026-04-07T12:43:24Z
<p>Die Seite wurde neu angelegt: „= Firewall-Konfiguration mit Ansible = Dieser Artikel zeigt wie man mehrere Firewall-VMs automatisiert mit <a href="/index.php/Ansible_Grundlagen" title="Ansible Grundlagen">Ansible</a> konfiguriert. Wir ve…“</p>
<p><b>Neue Seite</b></p><div>= Firewall-Konfiguration mit Ansible =<br />
<br />
Dieser Artikel zeigt wie man mehrere Firewall-VMs automatisiert mit [[Ansible Grundlagen|Ansible]] konfiguriert.<br />
Wir verwenden eine Ansible-Rolle die Netzwerk-Interfaces, Hostnamen, DNS-Auflösung und NAT mit nftables einrichtet.<br />
<br />
== Voraussetzungen ==<br />
<br />
* Ansible ist auf dem Control-Node installiert ([[Ansible Grundlagen]])<br />
* Alle Firewall-VMs sind erreichbar (SSH)<br />
* User <code>kit</code> ist auf allen VMs vorhanden und hat <code>sudo NOPASSWD</code>-Rechte<br />
* SSH-Schlüssel ist hinterlegt<br />
<br />
== Variablen ==<br />
<br />
Jede Firewall-VM hat zwei individuelle Werte:<br />
<br />
{| class="wikitable"<br />
! Variable !! Bedeutung !! Beispiel<br />
|-<br />
| <code>fw_xx</code> || Teilnehmernummer (201–213) || <code>212</code><br />
|-<br />
| <code>fw_y</code> || Klassensaal (1–16) || <code>16</code><br />
|}<br />
<br />
Diese Werte werden in alle Konfigurationsdateien als Jinja2-Variablen eingesetzt, z.B. <code>172.26.{{ fw_xx }}.1</code>.<br />
<br />
== Projektstruktur ==<br />
<br />
<pre><br />
ansible-fw/<br />
├── ansible.cfg<br />
├── site.yml<br />
├── inventory/<br />
│ └── hosts.ini<br />
└── roles/<br />
└── fw/<br />
├── tasks/<br />
│ └── main.yml<br />
├── handlers/<br />
│ └── main.yml<br />
└── templates/<br />
├── interfaces.j2<br />
├── hosts.j2<br />
├── resolv.conf.j2<br />
├── nftables.conf.j2<br />
└── 99-ipforward.conf.j2<br />
</pre><br />
<br />
== Inventory ==<br />
<br />
In der Datei <code>inventory/hosts.ini</code> werden alle Firewall-VMs definiert.<br />
Jeder Host bekommt seine eigene <code>fw_xx</code>-Variable. Die gemeinsamen Variablen stehen unter <code>[firewalls:vars]</code>.<br />
<br />
<pre><br />
[firewalls]<br />
fw201 ansible_host=192.168.16.201 fw_xx=201<br />
fw202 ansible_host=192.168.16.202 fw_xx=202<br />
...<br />
fw213 ansible_host=192.168.16.213 fw_xx=213<br />
<br />
[firewalls:vars]<br />
ansible_user=kit<br />
ansible_become=true<br />
ansible_become_method=sudo<br />
fw_y=16<br />
</pre><br />
<br />
== ansible.cfg ==<br />
<br />
Die <code>ansible.cfg</code> im Projektverzeichnis setzt Standardwerte damit man diese nicht jedes Mal auf der Kommandozeile angeben muss.<br />
<br />
<pre><br />
[defaults]<br />
inventory = inventory/hosts.ini<br />
remote_user = kit<br />
host_key_checking = False<br />
<br />
[privilege_escalation]<br />
become = True<br />
become_method = sudo<br />
</pre><br />
<br />
== Playbook ==<br />
<br />
Das Playbook <code>site.yml</code> ist bewusst einfach gehalten – es ruft nur die Rolle <code>fw</code> auf.<br />
<br />
<pre><br />
---<br />
- name: Firewall-VMs konfigurieren<br />
hosts: firewalls<br />
gather_facts: false<br />
<br />
roles:<br />
- fw<br />
</pre><br />
<br />
== Rolle: fw ==<br />
<br />
=== Tasks ===<br />
<br />
Die Datei <code>roles/fw/tasks/main.yml</code> führt alle Konfigurationsschritte der Reihe nach aus:<br />
<br />
# Hostname setzen<br />
# <code>/etc/hosts</code> konfigurieren<br />
# <code>/etc/network/interfaces</code> konfigurieren<br />
# <code>/etc/resolv.conf</code> konfigurieren<br />
# <code>/etc/nftables.conf</code> konfigurieren<br />
# nftables aktivieren und starten<br />
# IP-Forward konfigurieren<br />
# Reboot<br />
<br />
Wenn sich <code>interfaces</code> oder <code>nftables.conf</code> ändern, lösen die Tasks automatisch die zugehörigen Handler aus (Neustart des Dienstes).<br />
<br />
=== Templates ===<br />
<br />
Alle Konfigurationsdateien werden als Jinja2-Templates verwaltet. Ansible befüllt die Variablen beim Ausführen pro Host automatisch.<br />
<br />
==== /etc/network/interfaces ====<br />
<br />
<pre><br />
#WAN<br />
auto enp0s3<br />
iface enp0s3 inet static<br />
address 192.168.{{ fw_y }}.{{ fw_xx }}/24<br />
gateway 192.168.{{ fw_y }}.254<br />
post-up ip route add 10.88.0.0/16 via 192.168.{{ fw_y }}.88<br />
<br />
#DMZ<br />
auto enp0s8<br />
iface enp0s8 inet static<br />
address 10.88.{{ fw_xx }}.1/24<br />
<br />
#LAN<br />
auto enp0s9<br />
iface enp0s9 inet static<br />
address 172.26.{{ fw_xx }}.1/24<br />
<br />
#SERVERS<br />
auto enp0s10<br />
iface enp0s10 inet static<br />
address 10.{{ fw_xx }}.1.1/24<br />
</pre><br />
<br />
==== /etc/nftables.conf ====<br />
<br />
Die Firewall verwendet NAT mit Masquerading. Pakete aus DMZ, LAN und SERVERS werden über das WAN-Interface (<code>enp0s3</code>) nach außen weitergeleitet.<br />
Interner Verkehr innerhalb <code>192.168.Y.0/24</code> und <code>10.88.0.0/16</code> wird nicht genattet (RETURN).<br />
<br />
<pre><br />
define LAN = 172.26.{{ fw_xx }}.0/24<br />
define SERVER = 10.{{ fw_xx }}.1.0/24<br />
define DMZ = 10.88.{{ fw_xx }}.0/24<br />
<br />
flush ruleset<br />
<br />
table ip nat {<br />
chain postrouting {<br />
type nat hook postrouting priority 100; policy accept;<br />
<br />
ip saddr $DMZ ip daddr 192.168.{{ fw_y }}.0/24 return<br />
ip saddr $DMZ ip daddr 10.88.0.0/16 return<br />
ip saddr $DMZ oif enp0s3 masquerade<br />
ip saddr $LAN oif enp0s3 masquerade<br />
ip saddr $SERVER oif enp0s3 masquerade<br />
}<br />
}<br />
</pre><br />
<br />
==== IP-Forward ====<br />
<br />
Damit die Firewall Pakete zwischen den Interfaces weiterleitet, muss IP-Forwarding aktiviert sein:<br />
<br />
<pre><br />
net.ipv4.ip_forward=1<br />
</pre><br />
<br />
Diese Einstellung wird in <code>/etc/sysctl.d/99-ipforward.conf</code> gespeichert und ist nach dem Reboot dauerhaft aktiv.<br />
<br />
== Ausführen ==<br />
<br />
;Alle Hosts:<br />
* <code>ansible-playbook site.yml</code><br />
<br />
;Nur einzelne Hosts (z.B. zum Testen):<br />
* <code>ansible-playbook site.yml --limit fw212,fw213</code><br />
<br />
;Nur bestimmte Tasks ausführen (Tags, falls definiert):<br />
* <code>ansible-playbook site.yml --limit fw212 --tags nftables</code><br />
<br />
== Siehe auch ==<br />
<br />
* [[Ansible Grundlagen]]<br />
* [[nftables Masquerade]]<br />
* [[Debian Netzwerkkonfiguration]]</div>
Thomas.will