trent/trents_blog
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
a73e65221e
trents_blog/site/posts/ansible-kvm-router-lab-part-5/index.html

2430 lines
64 KiB
HTML
Raw Normal View History

rebuild site
2021-10-18 03:27:50 -07:00
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Trent's blog of mostly technical documentations.">
<link rel="canonical" href="https://blog.trentsonlinedocs.xyz/posts/ansible-kvm-router-lab-part-5/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.2, mkdocs-material-7.2.6">
<title>Ansible KVM Router Lab Part 5 - Trent's Blog</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.802231af.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.3f5d1f46.min.css">
<meta name="theme-color" content="#ffffff">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../extra.css">
<meta property="og:type" content="website" />
<meta property="og:title" content="Trent's Blog - Ansible KVM Router Lab Part 5" />
<meta property="og:description" content="Trent's blog of mostly technical documentations." />
<meta property="og:url" content="https://blog.trentsonlinedocs.xyz/posts/ansible-kvm-router-lab-part-5/" />
<meta property="og:image" content="https://blog.trentsonlinedocs.xyz/photos/trent.png" />
<meta property="og:image:type" content="image/png" />
<meta property="og:image:width" content="1120" />
<meta property="og:image:height" content="1120" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:site" content="@BoringTrent" />
<meta name="twitter:creator" content="@BoringTrent" />
<meta name="twitter:title" content="Trent's Blog - Ansible KVM Router Lab Part 5" />
<meta name="twitter:description" content="Trent's blog of mostly technical documentations." />
<meta name="twitter:image" content="https://blog.trentsonlinedocs.xyz/photos/trent.png" />
<link href="https://blog.trentsonlinedocs.xyz/feed_rss_created.xml" type="application/rss+xml" rel="alternate" title="Trent's Blog - RSS Feed Created"/>
<link href="https://blog.trentsonlinedocs.xyz/feed_rss_updated.xml" type="application/rss+xml" rel="alternate" title="Trent's Blog - RSS Feed Updated"/>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="white" data-md-color-accent="">
<script>function __prefix(e){return new URL("../..",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#introduction" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Trent&#39;s Blog" class="md-header__button md-logo" aria-label="Trent's Blog" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Trent's Blog
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Ansible KVM Router Lab Part 5
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../../rss/" class="md-tabs__link">
RSS
</a>
</li>
<li class="md-tabs__item">
<a href="../../links/" class="md-tabs__link">
Links
</a>
</li>
<li class="md-tabs__item">
<a href="../ansible-kvm-router-lab-part-6/" class="md-tabs__link md-tabs__link--active">
Posts
</a>
</li>
<li class="md-tabs__item">
<a href="https://git.boringonian.com/trent/trents_blog" class="md-tabs__link">
Source
</a>
</li>
<li class="md-tabs__item">
<a href="https://trentpalmer.org" class="md-tabs__link">
TrentReads
</a>
</li>
<li class="md-tabs__item">
<a href="https://blog.trentpalmer.org" class="md-tabs__link">
AttentionSpanHistory
</a>
</li>
<li class="md-tabs__item">
<a href="https://github.com/TrentSPalmer" class="md-tabs__link">
GitHub
</a>
</li>
<li class="md-tabs__item">
<a href="https://twitter.com/boringtrent" class="md-tabs__link">
Twitter
</a>
</li>
<li class="md-tabs__item">
<a href="https://www.facebook.com/trentspalmer" class="md-tabs__link">
Facebook
</a>
</li>
<li class="md-tabs__item">
<a href="https://docs.trentsonlinedocs.xyz/" class="md-tabs__link">
TrentDocs
</a>
</li>
<li class="md-tabs__item">
<a href="https://trentsonlinedocs.xyz/hugo-themes-report/hugo-themes-report.html" class="md-tabs__link">
HugoThemesReport
</a>
</li>
<li class="md-tabs__item">
<a href="https://play.google.com/store/apps/details?id=org.trentpalmer.libre_gps_parser" class="md-tabs__link">
LibreGpsParser
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Trent&#39;s Blog" class="md-nav__button md-logo" aria-label="Trent's Blog" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
Trent's Blog
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_1" type="checkbox" id="__nav_1" >
<label class="md-nav__link" for="__nav_1">
Home
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Home" data-md-level="1">
<label class="md-nav__title" for="__nav_1">
<span class="md-nav__icon md-icon"></span>
Home
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
Home
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-6/" class="md-nav__link">
Ansible KVM Router Lab Part 6
</a>
</li>
<li class="md-nav__item">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Ansible KVM Router Lab Part 5
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Ansible KVM Router Lab Part 5
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="#setup-ansible" class="md-nav__link">
Setup Ansible
</a>
</li>
<li class="md-nav__item">
<a href="#run-ansible" class="md-nav__link">
Run Ansible
</a>
</li>
<li class="md-nav__item">
<a href="#ansible-tasks" class="md-nav__link">
Ansible Tasks
</a>
<nav class="md-nav" aria-label="Ansible Tasks">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#install-dnsmasq-iptables-persistent" class="md-nav__link">
Install dnsmasq, iptables-persistent
</a>
</li>
<li class="md-nav__item">
<a href="#install-traceroute" class="md-nav__link">
Install traceroute
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcnetworkinterfaces" class="md-nav__link">
Backup /etc/network/interfaces
</a>
</li>
<li class="md-nav__item">
<a href="#update-network-config" class="md-nav__link">
Update Network Config
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcdnsmasqconf" class="md-nav__link">
Backup /etc/dnsmasq.conf
</a>
</li>
<li class="md-nav__item">
<a href="#configure-dnsmasq" class="md-nav__link">
Configure dnsmasq
</a>
</li>
<li class="md-nav__item">
<a href="#configure-network-ifup" class="md-nav__link">
Configure Network ifup
</a>
</li>
<li class="md-nav__item">
<a href="#restart-network-and-dnsmasq" class="md-nav__link">
Restart Network and dnsmasq
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcsysctlconf" class="md-nav__link">
Backup /etc/sysctl.conf
</a>
</li>
<li class="md-nav__item">
<a href="#enable-ipv4-forwarding" class="md-nav__link">
Enable ipv4 forwarding
</a>
</li>
<li class="md-nav__item">
<a href="#start-ipv4-forwarding" class="md-nav__link">
Start ipv4 forwarding
</a>
</li>
<li class="md-nav__item">
<a href="#configure-iptables-workaround" class="md-nav__link">
Configure iptables workaround
</a>
</li>
<li class="md-nav__item">
<a href="#apply-iptables-workaround" class="md-nav__link">
Apply iptables workaround
</a>
</li>
<li class="md-nav__item">
<a href="#configure-iptables" class="md-nav__link">
Configure iptables
</a>
</li>
<li class="md-nav__item">
<a href="#apply-iptables-firewall" class="md-nav__link">
Apply iptables firewall
</a>
</li>
<li class="md-nav__item">
<a href="#traceroute-test" class="md-nav__link">
traceroute test
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#to-be-continued" class="md-nav__link">
To Be Continued
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-4/" class="md-nav__link">
Ansible KVM Router Lab Part 4
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-3/" class="md-nav__link">
Ansible KVM Router Lab Part 3
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-2/" class="md-nav__link">
Ansible KVM Router Lab Part 2
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-1/" class="md-nav__link">
Ansible KVM Router Lab Part 1
</a>
</li>
<li class="md-nav__item">
<a href="../add-kvm-network-with-virsh/" class="md-nav__link">
Add KVM Network With Virsh
</a>
</li>
<li class="md-nav__item">
<a href="../kvm-on-arch/" class="md-nav__link">
KVM On Arch
</a>
</li>
<li class="md-nav__item">
<a href="../raspberrypi-lte-failover-router-with-dns-caching/" class="md-nav__link">
RaspberryPi LTE-Failover Router With DNS Caching
</a>
</li>
<li class="md-nav__item">
<a href="../debian-11-nspawn-flutter-integration-test-server/" class="md-nav__link">
Flutter Integration Test Server in Debian 11 Nspawn Container
</a>
</li>
<li class="md-nav__item">
<a href="../debian-11-ttrss/" class="md-nav__link">
Debian 11 TT-RSS
</a>
</li>
<li class="md-nav__item">
<a href="../trents-favorite-podcasts/" class="md-nav__link">
Trent's Favorite Podcasts
</a>
</li>
<li class="md-nav__item">
<a href="../test-qr-svg-django/" class="md-nav__link">
Test QR SVG Django
</a>
</li>
<li class="md-nav__item">
<a href="../prosody-photo-uploads/" class="md-nav__link">
Prosody Photo Uploads
</a>
</li>
<li class="md-nav__item">
<a href="../xmpp-apt-notifications/" class="md-nav__link">
XMPP Apt Notification
</a>
</li>
<li class="md-nav__item">
<a href="../apache-virtual-hosts/" class="md-nav__link">
Apache Virtual Hosts
</a>
</li>
<li class="md-nav__item">
<a href="../sendxmpp-handler-for-python-logging/" class="md-nav__link">
SENDXMPP Handler for Python Logging
</a>
</li>
<li class="md-nav__item">
<a href="../instructions-for-tethering-from-phone/" class="md-nav__link">
Instruction For Tethering From Phone
</a>
</li>
<li class="md-nav__item">
<a href="../lmde4-custom-partitions-disk-encryption/" class="md-nav__link">
LMDE4 Custom Partitions for Disk Encryption
</a>
</li>
<li class="md-nav__item">
<a href="../linux-move-cursor-with-keyboard/" class="md-nav__link">
Linux Move Cursor With Keyboard
</a>
</li>
<li class="md-nav__item">
<a href="../simplified-raspberry-streaming/" class="md-nav__link">
Simplified Raspberry Streaming
</a>
</li>
<li class="md-nav__item">
<a href="../clear-linux-encrypted-xfs-root/" class="md-nav__link">
Clear Linux Encrypted XFS Root
</a>
</li>
<li class="md-nav__item">
<a href="../clear-linux-guest-virt-manager/" class="md-nav__link">
Clear Linux Guest Virt Manager
</a>
</li>
<li class="md-nav__item">
<a href="../faster-partitioning-with-sgdisk/" class="md-nav__link">
Faster Partitioning with Sgdisk
</a>
</li>
<li class="md-nav__item">
<a href="../lmde3-xfs-full-disk-encryption/" class="md-nav__link">
LMDE3 XFS Full Disk Encryption
</a>
</li>
<li class="md-nav__item">
<a href="../rewrite-hugo-themes-report-in-python/" class="md-nav__link">
Rewrite Hugo Themes Report In Python
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
RSS
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="RSS" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
RSS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../rss/" class="md-nav__link">
RSS
</a>
</li>
<li class="md-nav__item">
<a href="/feed_rss_created.xml" class="md-nav__link">
RssCreated
</a>
</li>
<li class="md-nav__item">
<a href="/feed_rss_updated.xml" class="md-nav__link">
RssUpdated
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3">
Links
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Links" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Links
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../links/" class="md-nav__link">
Links
</a>
</li>
<li class="md-nav__item">
<a href="https://git.boringonian.com/trent/trents_blog" class="md-nav__link">
Source
</a>
</li>
<li class="md-nav__item">
<a href="https://trentpalmer.org" class="md-nav__link">
TrentReads
</a>
</li>
<li class="md-nav__item">
<a href="https://blog.trentpalmer.org" class="md-nav__link">
AttentionSpanHistory
</a>
</li>
<li class="md-nav__item">
<a href="https://github.com/TrentSPalmer" class="md-nav__link">
GitHub
</a>
</li>
<li class="md-nav__item">
<a href="https://twitter.com/boringtrent" class="md-nav__link">
Twitter
</a>
</li>
<li class="md-nav__item">
<a href="https://www.facebook.com/trentspalmer" class="md-nav__link">
Facebook
</a>
</li>
<li class="md-nav__item">
<a href="https://docs.trentsonlinedocs.xyz/" class="md-nav__link">
TrentDocs
</a>
</li>
<li class="md-nav__item">
<a href="https://trentsonlinedocs.xyz/hugo-themes-report/hugo-themes-report.html" class="md-nav__link">
HugoThemesReport
</a>
</li>
<li class="md-nav__item">
<a href="https://play.google.com/store/apps/details?id=org.trentpalmer.libre_gps_parser" class="md-nav__link">
LibreGpsParser
</a>
</li>
<li class="md-nav__item">
<a href="https://concise-pdx.com/" class="md-nav__link">
ConcisePDX
</a>
</li>
<li class="md-nav__item">
<a href="https://trentspalmer.github.io/fcc-challenges/" class="md-nav__link">
FreeCodeCampChallenges
</a>
</li>
<li class="md-nav__item">
<a href="https://trentpalmer.work/6a57bbe24d8244289610bf57533d6c6f/" class="md-nav__link">
DeviceLayout
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4">
Posts
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Posts" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Posts
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-6/" class="md-nav__link">
Ansible KVM Router Lab Part 6
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Ansible KVM Router Lab Part 5
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Ansible KVM Router Lab Part 5
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="#setup-ansible" class="md-nav__link">
Setup Ansible
</a>
</li>
<li class="md-nav__item">
<a href="#run-ansible" class="md-nav__link">
Run Ansible
</a>
</li>
<li class="md-nav__item">
<a href="#ansible-tasks" class="md-nav__link">
Ansible Tasks
</a>
<nav class="md-nav" aria-label="Ansible Tasks">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#install-dnsmasq-iptables-persistent" class="md-nav__link">
Install dnsmasq, iptables-persistent
</a>
</li>
<li class="md-nav__item">
<a href="#install-traceroute" class="md-nav__link">
Install traceroute
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcnetworkinterfaces" class="md-nav__link">
Backup /etc/network/interfaces
</a>
</li>
<li class="md-nav__item">
<a href="#update-network-config" class="md-nav__link">
Update Network Config
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcdnsmasqconf" class="md-nav__link">
Backup /etc/dnsmasq.conf
</a>
</li>
<li class="md-nav__item">
<a href="#configure-dnsmasq" class="md-nav__link">
Configure dnsmasq
</a>
</li>
<li class="md-nav__item">
<a href="#configure-network-ifup" class="md-nav__link">
Configure Network ifup
</a>
</li>
<li class="md-nav__item">
<a href="#restart-network-and-dnsmasq" class="md-nav__link">
Restart Network and dnsmasq
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcsysctlconf" class="md-nav__link">
Backup /etc/sysctl.conf
</a>
</li>
<li class="md-nav__item">
<a href="#enable-ipv4-forwarding" class="md-nav__link">
Enable ipv4 forwarding
</a>
</li>
<li class="md-nav__item">
<a href="#start-ipv4-forwarding" class="md-nav__link">
Start ipv4 forwarding
</a>
</li>
<li class="md-nav__item">
<a href="#configure-iptables-workaround" class="md-nav__link">
Configure iptables workaround
</a>
</li>
<li class="md-nav__item">
<a href="#apply-iptables-workaround" class="md-nav__link">
Apply iptables workaround
</a>
</li>
<li class="md-nav__item">
<a href="#configure-iptables" class="md-nav__link">
Configure iptables
</a>
</li>
<li class="md-nav__item">
<a href="#apply-iptables-firewall" class="md-nav__link">
Apply iptables firewall
</a>
</li>
<li class="md-nav__item">
<a href="#traceroute-test" class="md-nav__link">
traceroute test
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#to-be-continued" class="md-nav__link">
To Be Continued
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-4/" class="md-nav__link">
Ansible KVM Router Lab Part 4
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-3/" class="md-nav__link">
Ansible KVM Router Lab Part 3
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-2/" class="md-nav__link">
Ansible KVM Router Lab Part 2
</a>
</li>
<li class="md-nav__item">
<a href="../ansible-kvm-router-lab-part-1/" class="md-nav__link">
Ansible KVM Router Lab Part 1
</a>
</li>
<li class="md-nav__item">
<a href="../add-kvm-network-with-virsh/" class="md-nav__link">
Add KVM Network With Virsh
</a>
</li>
<li class="md-nav__item">
<a href="../kvm-on-arch/" class="md-nav__link">
KVM On Arch
</a>
</li>
<li class="md-nav__item">
<a href="../raspberrypi-lte-failover-router-with-dns-caching/" class="md-nav__link">
RaspberryPi LTE-Failover Router With DNS Caching
</a>
</li>
<li class="md-nav__item">
<a href="../debian-11-nspawn-flutter-integration-test-server/" class="md-nav__link">
Flutter Integration Test Server in Debian 11 Nspawn Container
</a>
</li>
<li class="md-nav__item">
<a href="../debian-11-ttrss/" class="md-nav__link">
Debian 11 TT-RSS
</a>
</li>
<li class="md-nav__item">
<a href="../trents-favorite-podcasts/" class="md-nav__link">
Trent's Favorite Podcasts
</a>
</li>
<li class="md-nav__item">
<a href="../test-qr-svg-django/" class="md-nav__link">
Test QR SVG Django
</a>
</li>
<li class="md-nav__item">
<a href="../prosody-photo-uploads/" class="md-nav__link">
Prosody Photo Uploads
</a>
</li>
<li class="md-nav__item">
<a href="../xmpp-apt-notifications/" class="md-nav__link">
XMPP Apt Notification
</a>
</li>
<li class="md-nav__item">
<a href="../apache-virtual-hosts/" class="md-nav__link">
Apache Virtual Hosts
</a>
</li>
<li class="md-nav__item">
<a href="../sendxmpp-handler-for-python-logging/" class="md-nav__link">
SENDXMPP Handler for Python Logging
</a>
</li>
<li class="md-nav__item">
<a href="../instructions-for-tethering-from-phone/" class="md-nav__link">
Instruction For Tethering From Phone
</a>
</li>
<li class="md-nav__item">
<a href="../lmde4-custom-partitions-disk-encryption/" class="md-nav__link">
LMDE4 Custom Partitions for Disk Encryption
</a>
</li>
<li class="md-nav__item">
<a href="../linux-move-cursor-with-keyboard/" class="md-nav__link">
Linux Move Cursor With Keyboard
</a>
</li>
<li class="md-nav__item">
<a href="../simplified-raspberry-streaming/" class="md-nav__link">
Simplified Raspberry Streaming
</a>
</li>
<li class="md-nav__item">
<a href="../clear-linux-encrypted-xfs-root/" class="md-nav__link">
Clear Linux Encrypted XFS Root
</a>
</li>
<li class="md-nav__item">
<a href="../clear-linux-guest-virt-manager/" class="md-nav__link">
Clear Linux Guest Virt Manager
</a>
</li>
<li class="md-nav__item">
<a href="../faster-partitioning-with-sgdisk/" class="md-nav__link">
Faster Partitioning with Sgdisk
</a>
</li>
<li class="md-nav__item">
<a href="../lmde3-xfs-full-disk-encryption/" class="md-nav__link">
LMDE3 XFS Full Disk Encryption
</a>
</li>
<li class="md-nav__item">
<a href="../rewrite-hugo-themes-report-in-python/" class="md-nav__link">
Rewrite Hugo Themes Report In Python
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="https://git.boringonian.com/trent/trents_blog" class="md-nav__link">
Source
</a>
</li>
<li class="md-nav__item">
<a href="https://trentpalmer.org" class="md-nav__link">
TrentReads
</a>
</li>
<li class="md-nav__item">
<a href="https://blog.trentpalmer.org" class="md-nav__link">
AttentionSpanHistory
</a>
</li>
<li class="md-nav__item">
<a href="https://github.com/TrentSPalmer" class="md-nav__link">
GitHub
</a>
</li>
<li class="md-nav__item">
<a href="https://twitter.com/boringtrent" class="md-nav__link">
Twitter
</a>
</li>
<li class="md-nav__item">
<a href="https://www.facebook.com/trentspalmer" class="md-nav__link">
Facebook
</a>
</li>
<li class="md-nav__item">
<a href="https://docs.trentsonlinedocs.xyz/" class="md-nav__link">
TrentDocs
</a>
</li>
<li class="md-nav__item">
<a href="https://trentsonlinedocs.xyz/hugo-themes-report/hugo-themes-report.html" class="md-nav__link">
HugoThemesReport
</a>
</li>
<li class="md-nav__item">
<a href="https://play.google.com/store/apps/details?id=org.trentpalmer.libre_gps_parser" class="md-nav__link">
LibreGpsParser
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="#setup-ansible" class="md-nav__link">
Setup Ansible
</a>
</li>
<li class="md-nav__item">
<a href="#run-ansible" class="md-nav__link">
Run Ansible
</a>
</li>
<li class="md-nav__item">
<a href="#ansible-tasks" class="md-nav__link">
Ansible Tasks
</a>
<nav class="md-nav" aria-label="Ansible Tasks">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#install-dnsmasq-iptables-persistent" class="md-nav__link">
Install dnsmasq, iptables-persistent
</a>
</li>
<li class="md-nav__item">
<a href="#install-traceroute" class="md-nav__link">
Install traceroute
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcnetworkinterfaces" class="md-nav__link">
Backup /etc/network/interfaces
</a>
</li>
<li class="md-nav__item">
<a href="#update-network-config" class="md-nav__link">
Update Network Config
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcdnsmasqconf" class="md-nav__link">
Backup /etc/dnsmasq.conf
</a>
</li>
<li class="md-nav__item">
<a href="#configure-dnsmasq" class="md-nav__link">
Configure dnsmasq
</a>
</li>
<li class="md-nav__item">
<a href="#configure-network-ifup" class="md-nav__link">
Configure Network ifup
</a>
</li>
<li class="md-nav__item">
<a href="#restart-network-and-dnsmasq" class="md-nav__link">
Restart Network and dnsmasq
</a>
</li>
<li class="md-nav__item">
<a href="#backup-etcsysctlconf" class="md-nav__link">
Backup /etc/sysctl.conf
</a>
</li>
<li class="md-nav__item">
<a href="#enable-ipv4-forwarding" class="md-nav__link">
Enable ipv4 forwarding
</a>
</li>
<li class="md-nav__item">
<a href="#start-ipv4-forwarding" class="md-nav__link">
Start ipv4 forwarding
</a>
</li>
<li class="md-nav__item">
<a href="#configure-iptables-workaround" class="md-nav__link">
Configure iptables workaround
</a>
</li>
<li class="md-nav__item">
<a href="#apply-iptables-workaround" class="md-nav__link">
Apply iptables workaround
</a>
</li>
<li class="md-nav__item">
<a href="#configure-iptables" class="md-nav__link">
Configure iptables
</a>
</li>
<li class="md-nav__item">
<a href="#apply-iptables-firewall" class="md-nav__link">
Apply iptables firewall
</a>
</li>
<li class="md-nav__item">
<a href="#traceroute-test" class="md-nav__link">
traceroute test
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#to-be-continued" class="md-nav__link">
To Be Continued
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Ansible KVM Router Lab Part 5</h1>
<p>date: 2021-10-17</p>
<h2 id="introduction">Introduction</h2>
<p>This is Part 5 of a multi-part series of blog posts for building a
<a href="https://github.com/TrentSPalmer/router-lab" target="_blank">router lab</a>
automatically using a series of bash scripts and ansible.</p>
<p><a href="/posts/ansible-kvm-router-lab-part-1/" target="_blank">Ansible KVM Router Lab Part 1</a>
is an overview.</p>
<p>In <a href="/posts/ansible-kvm-router-lab-part-2/" target="_blank">Ansible KVM Router Lab Part 2</a>,
I break down the script
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/build_vms.bash" target="_blank">build_vms.bash</a>.</p>
<p>In <a href="/posts/ansible-kvm-router-lab-part-3/" target="_blank">Ansible KVM Router Lab Part 3</a>,
I explain
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/define_bridge_networks.bash" target="_blank">define_bridge_networks.bash</a>
and
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/shutdown_vms.bash" target="_blank">shutdown_vms.bash</a>
scripts which are used to construct the lab.</p>
<p>In <a href="/posts/ansible-kvm-router-lab-part-4/" target="_blank">Ansible KVM Router Lab Part 4</a>,
I explain
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/connect_vms_to_bridges.bash" target="_blank">connect_vms_to_bridges.bash</a>,
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/start_vms.bash" target="_blank">start_vms.bash</a>,
and <a href="https://github.com/TrentSPalmer/router-lab/blob/master/rebuild_known_hosts.bash" target="_blank">rebuild_known_hosts.bash</a>
scripts which are used to construct the lab.</p>
<p>In this post I explain how I use Ansible to finish constructing the lab.</p>
<p>In <a href="/posts/ansible-kvm-router-lab-part-6/" target="_blank">Ansible KVM Router Lab Part 6</a>,
I explain
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/disconnect_vms_from_bridges.bash" target="_blank">disconnect_vms_from_bridges.bash</a>,
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/undefine_and_remove_vms.bash" target="_blank">undefine_and_remove_vms.bash</a>,
and <a href="https://github.com/TrentSPalmer/router-lab/blob/master/remove_bridge_networks.bash" target="_blank">remove_bridge_networks</a>
which are used to destroy the lab.</p>
<h2 id="setup-ansible">Setup Ansible</h2>
<ul>
<li>Configure ansible host file
<div class="highlight"><pre><span></span><code><span class="c1"># ~/.ansible.cfg</span>
<span class="k">[defaults]</span>
<span class="na">inventory</span> <span class="o">=</span> <span class="s">~/router-lab/ansible/hosts.yml</span>
</code></pre></div></li>
<li>Setup bashrc
<div class="highlight"><pre><span></span><code><span class="c1"># ~/.bashrc</span>
<span class="nb">export</span> <span class="nv">LIBVIRT_DEFAULT_URI</span><span class="o">=</span><span class="s2">&quot;qemu+ssh://&lt;user&gt;@&lt;server&gt;/system&quot;</span>
<span class="nb">alias</span> ansible-pb<span class="o">=</span>anspb
anspb<span class="o">()</span> <span class="o">{</span>
<span class="nv">ANS_DIR</span><span class="o">=</span>~/router-lab/ansible/playbooks<span class="p">;</span>
<span class="nb">echo</span> Changing to <span class="s2">&quot;</span><span class="si">${</span><span class="nv">ANS_DIR</span><span class="si">}</span><span class="s2">&quot;</span> and executing: ansible-playbook <span class="s2">&quot;</span><span class="si">${</span><span class="p">@</span><span class="si">}</span><span class="s2">&quot;</span>
<span class="o">(</span><span class="nb">cd</span> <span class="nv">$ANS_DIR</span> <span class="o">||</span> <span class="nb">exit</span> <span class="p">;</span> ansible-playbook <span class="s2">&quot;</span><span class="si">${</span><span class="p">@</span><span class="si">}</span><span class="s2">&quot;</span><span class="o">)</span>
<span class="o">}</span>
</code></pre></div></li>
<li>install apps
<div class="highlight"><pre><span></span><code>apt install ansible ansible-lint
</code></pre></div></li>
</ul>
<h2 id="run-ansible">Run Ansible</h2>
<p><div class="highlight"><pre><span></span><code>ansible-pb build_out_routers.yml -K
</code></pre></div>
or if you want to first update all the clients
<div class="highlight"><pre><span></span><code>ansible-pb update_and_build.yml -K
</code></pre></div></p>
<h2 id="ansible-tasks">Ansible Tasks</h2>
<p>This is an explaination of the tasks in the Ansible Playbook.
Playbooks are executed from top to bottom.</p>
<h3 id="install-dnsmasq-iptables-persistent">Install <code>dnsmasq</code>, <code>iptables-persistent</code></h3>
<p>This task is only run against the first and second lab clients as
they are the routers.</p>
<h3 id="install-traceroute">Install <code>traceroute</code></h3>
<p>Traceroute is parsed in a later task to confirm that traffic is
following the correct route.
(Also incidentally installs <code>needrestart</code> and <code>screen</code>.)</p>
<h3 id="backup-etcnetworkinterfaces">Backup <code>/etc/network/interfaces</code></h3>
<p>This is a simple bash command that tests if <code>/etc/network/interfaces.bak</code>
exists, and if not creates it.</p>
<h3 id="update-network-config">Update Network Config</h3>
<p>This task updates <code>/etc/network/interfaces</code> in all the lab clients
to describe the network interfaces needed to connect to each other.</p>
<p>For instance, here is the new <code>/etc/network/interfaces</code> file for <em>dnettwo</em>.
<div class="highlight"><pre><span></span><code><span class="c1"># /etc/network/interfaces</span>
<span class="c1"># This file describes the network interfaces available on your system</span>
<span class="c1"># and how to activate them. For more information, see interfaces(5).</span>
<span class="na">source /etc/network/interfaces.d/*</span>
<span class="c1"># The loopback network interface</span>
<span class="na">auto lo</span>
<span class="na">iface lo inet loopback</span>
<span class="c1"># The primary network interface</span>
<span class="na">allow-hotplug enp1s0</span>
<span class="na">iface enp1s0 inet dhcp</span>
<span class="c1"># The primary network interface</span>
<span class="na">allow-hotplug enp7s0</span>
<span class="na">iface enp7s0 inet dhcp</span>
<span class="na">auto enp8s0</span>
<span class="na">iface enp8s0 inet static</span>
<span class="na">address 10.4.4.1</span>
<span class="na">network 10.4.4.0</span>
<span class="na">netmask 255.255.255.0</span>
<span class="na">broadcast 10.4.4.255</span>
</code></pre></div></p>
<h3 id="backup-etcdnsmasqconf">Backup <code>/etc/dnsmasq.conf</code></h3>
<p>This is a simple bash command that tests if <code>/etc/dnsmasq.conf.bak</code>
exists, and if not creates it. (only applies to the two router clients)</p>
<h3 id="configure-dnsmasq">Configure <code>dnsmasq</code></h3>
<p>This task copies the templates for <code>/etc/dnsmasq.conf</code> to each of
the two router clients.</p>
<p><code>dnsmasq</code> is used to provide <em>DHCP</em> (and name resolution).
For instance, here is the new <code>/etc/dnsmasq.conf</code> for <em>dnetone</em>.
<div class="highlight"><pre><span></span><code><span class="c1"># /etc/dnsmasq.conf</span>
<span class="na">dhcp-range</span><span class="o">=</span><span class="s">10.5.5.50,10.5.5.150</span>
<span class="na">listen-address</span><span class="o">=</span><span class="s">127.0.0.1, 10.5.5.1</span>
</code></pre></div></p>
<h3 id="configure-network-ifup">Configure Network <em>ifup</em></h3>
<p>This applies to all the lab clients except for the first one,
changes the default route. A bash script is copied from
template to <code>/etc/network/if-up.d/ifup-script</code>.</p>
<p>For instance here is <code>ifup-script</code> for <em>dnetthree</em>.
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># /etc/network/if-up.d/ifup-script</span>
<span class="nv">default_dev</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span>ip route <span class="p">|</span> head -1 <span class="p">|</span> awk <span class="s1">&#39;{print $5}&#39;</span><span class="k">)</span><span class="s2">&quot;</span>
<span class="nb">echo</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">default_dev</span><span class="si">}</span><span class="s2">&quot;</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">default_dev</span><span class="si">}</span><span class="s2">&quot;</span> <span class="o">==</span> <span class="s2">&quot;enp1s0&quot;</span> <span class="o">]</span>
<span class="k">then</span>
ip route del default via <span class="m">10</span>.55.44.1 dev enp1s0
<span class="k">fi</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">default_dev</span><span class="si">}</span><span class="s2">&quot;</span> !<span class="o">=</span> <span class="s2">&quot;enp7s0&quot;</span> <span class="o">]</span>
<span class="k">then</span>
ip route add default via <span class="m">10</span>.4.4.1 dev enp7s0
<span class="k">fi</span>
</code></pre></div></p>
<h3 id="restart-network-and-dnsmasq">Restart Network and <code>dnsmasq</code></h3>
<p>This is sequential:</p>
<ol>
rebuild site
2021-10-18 03:37:28 -07:00
<li><em>enp7s0</em> is restarted on <em>dnetone</em></li>
rebuild site
2021-10-18 03:27:50 -07:00
<li><code>dnsmasq</code> is restarted on <em>dnetone</em>, offering service on <em>enp7s0</em></li>
<li><em>enp7s0</em> and <em>enp8s0</em> are restarted on <em>dnettwo</em>, thus soliciting dhcp service on <em>enp7s0</em>, and triggering <code>/etc/network/if-up.d/ifup-script</code></li>
<li><code>dnsmasq</code> is restarted on <em>dnettwo</em>, offering service on <em>enp8s0</em></li>
<li><em>enp7s0</em> is restarted on <em>dnetthree</em>, <em>dnetfour</em>, and <em>dnetfive</em>, thus soliciting dhcp service on <em>enp7s0</em>, and triggering <code>/etc/network/if-up.d/ifup-script</code></li>
</ol>
<h3 id="backup-etcsysctlconf">Backup <code>/etc/sysctl.conf</code></h3>
<p>This is a simple bash command that tests if <code>/etc/sysctl.conf.bak</code>
exists, and if not creates it. (only applies to the two router clients)</p>
<h3 id="enable-ipv4-forwarding">Enable <em>ipv4 forwarding</em></h3>
<p>This is a simple bash command that uncomments the option for <em>ipv4 forwarding</em>
in <code>/etc/sysctl.conf</code>, applies only to the two routers.
<div class="highlight"><pre><span></span><code><span class="c1"># /etc/sysctl.conf</span>
<span class="na">...</span>
<span class="c1"># this</span>
<span class="c1">#net.ipv4.ip_forward=1</span>
<span class="na">...</span>
<span class="c1"># becomes this</span>
<span class="na">net.ipv4.ip_forward</span><span class="o">=</span><span class="s">1</span>
<span class="na">...</span>
</code></pre></div></p>
<h3 id="start-ipv4-forwarding">Start <em>ipv4 forwarding</em></h3>
<p>This simple bash command starts <em>ipv4 forwarding</em>, applies only
to the two routers.
<div class="highlight"><pre><span></span><code>bash -c <span class="s2">&quot;sysctl -w net.ipv4.ip_forward=1&quot;</span>
</code></pre></div></p>
<h3 id="configure-iptables-workaround">Configure <code>iptables</code> <em>workaround</em></h3>
<p>This applies only to the two router clients.
From <code>iptables</code>'s point of view, the ansible connection isn't a RELATED INPUT
connection, thus it is necessary to bring up a firewall in a two-step
process that involves first ACCEPTING RELATED OUTPUT connections in a workaround.</p>
<p>From ansible template, the following is copied to <code>/dev/shm/iptables_workaround</code>
<div class="highlight"><pre><span></span><code># /dev/shm/iptables_workaround
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
COMMIT
</code></pre></div></p>
<h3 id="apply-iptables-workaround">Apply <code>iptables</code> <em>workaround</em></h3>
<p>This applies only to the two router clients.
The following command is dispatched to apply the above <em>iptables_workaround</em>:
<div class="highlight"><pre><span></span><code>bash -c <span class="s2">&quot;iptables-restore &lt; /dev/shm/iptables_workaround&quot;</span>
</code></pre></div></p>
<h3 id="configure-iptables">Configure <code>iptables</code></h3>
<p>This applies only to the two router clients.</p>
<p>From ansible template the following is copied to <code>/etc/iptables/rules.v4</code> on <em>dnetone</em>.
<div class="highlight"><pre><span></span><code>*nat
-A POSTROUTING -o enp1s0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
# allow ssh, so that we do not lock ourselves
-A INPUT -i enp1s0 -p tcp -m tcp --dport 22 -j ACCEPT
# allow incoming traffic to the outgoing connections,
# et al for clients from the private network
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# prohibit everything else incoming
-A INPUT -i enp1s0 -j DROP
COMMIT
</code></pre></div></p>
<p>From ansible template the following is copied to <code>/etc/iptables/rules.v4</code> on <em>dnettwo</em>.
<div class="highlight"><pre><span></span><code>*nat
-A POSTROUTING -o enp7s0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
# allow ssh, so that we do not lock ourselves
-A INPUT -i enp7s0 -p tcp -m tcp --dport 22 -j ACCEPT
# allow incoming traffic to the outgoing connections,
# et al for clients from the private network
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# prohibit everything else incoming
-A INPUT -i enp7s0 -j DROP
COMMIT
</code></pre></div></p>
<h3 id="apply-iptables-firewall">Apply <code>iptables</code> firewall</h3>
<p>This applies only to the two router clients.
The following command is dispatched to apply the above from <code>/etc/iptables/rules.v4</code>:
<div class="highlight"><pre><span></span><code>bash -c <span class="s2">&quot;iptables-restore &lt; /etc/iptables/rules.v4&quot;</span>
</code></pre></div></p>
<h3 id="traceroute-test"><code>traceroute</code> test</h3>
<p>The following script is dispatched to <em>dnettwo</em>:
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="nv">RESULT</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span>traceroute <span class="m">8</span>.8.8.8<span class="k">)</span><span class="s2">&quot;</span>
<span class="nv">FIRST_HOP</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">RESULT</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">|</span> head -2 <span class="p">|</span> tail -1 <span class="p">|</span> awk <span class="s1">&#39;{print $2}&#39;</span><span class="k">)</span><span class="s2">&quot;</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">FIRST_HOP</span><span class="si">}</span><span class="s2">&quot;</span> <span class="o">==</span> <span class="s2">&quot;10.5.5.1&quot;</span> <span class="o">]</span>
<span class="k">then</span>
<span class="nb">exit</span> <span class="m">0</span>
<span class="k">else</span>
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
</code></pre></div>
The following script is dispatched to <em>dnetthree</em>, <em>dnetfour</em>, and <em>dnetfive</em>:
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="nv">RESULT</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span>traceroute <span class="m">8</span>.8.8.8<span class="k">)</span><span class="s2">&quot;</span>
<span class="nv">FIRST_HOP</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">RESULT</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">|</span> head -2 <span class="p">|</span> tail -1 <span class="p">|</span> awk <span class="s1">&#39;{print $2}&#39;</span><span class="k">)</span><span class="s2">&quot;</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">FIRST_HOP</span><span class="si">}</span><span class="s2">&quot;</span> !<span class="o">=</span> <span class="s2">&quot;10.4.4.1&quot;</span> <span class="o">]</span>
<span class="k">then</span>
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
<span class="nv">SECOND_HOP</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">RESULT</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">|</span> head -3 <span class="p">|</span> tail -1 <span class="p">|</span> awk <span class="s1">&#39;{print $2}&#39;</span><span class="k">)</span><span class="s2">&quot;</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">&quot;</span><span class="si">${</span><span class="nv">SECOND_HOP</span><span class="si">}</span><span class="s2">&quot;</span> <span class="o">==</span> <span class="s2">&quot;10.5.5.1&quot;</span> <span class="o">]</span>
<span class="k">then</span>
<span class="nb">exit</span> <span class="m">0</span>
<span class="k">else</span>
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
</code></pre></div></p>
<h2 id="to-be-continued">To Be Continued</h2>
<p>In <a href="/posts/ansible-kvm-router-lab-part-6/" target="_blank">Ansible KVM Router Lab Part 6</a>,
I explain
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/disconnect_vms_from_bridges.bash" target="_blank">disconnect_vms_from_bridges.bash</a>,
<a href="https://github.com/TrentSPalmer/router-lab/blob/master/undefine_and_remove_vms.bash" target="_blank">undefine_and_remove_vms.bash</a>,
and <a href="https://github.com/TrentSPalmer/router-lab/blob/master/remove_bridge_networks.bash" target="_blank">remove_bridge_networks</a>
which are used to destroy the lab.</p>
<script src="https://giscus.app/client.js"
data-repo="TrentSPalmer/trentsblog_comments"
data-repo-id="R_kgDOGLitLQ"
data-category="Announcements"
data-category-id="DIC_kwDOGLitLc4B_VyZ"
data-mapping="og:title"
data-reactions-enabled="1"
data-emit-metadata="0"
data-theme="light"
crossorigin="anonymous"
async>
</script>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../ansible-kvm-router-lab-part-6/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Ansible KVM Router Lab Part 6" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Ansible KVM Router Lab Part 6
</div>
</div>
</a>
<a href="../ansible-kvm-router-lab-part-4/" class="md-footer__link md-footer__link--next" aria-label="Next: Ansible KVM Router Lab Part 4" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Ansible KVM Router Lab Part 4
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-footer-social">
<a href="https://twitter.com/boringtrent" target="_blank" rel="noopener" title="trent on twitter" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
</a>
<a href="https://www.facebook.com/trentspalmer" target="_blank" rel="noopener" title="trent on facebook" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M504 256C504 119 393 8 256 8S8 119 8 256c0 123.78 90.69 226.38 209.25 245V327.69h-63V256h63v-54.64c0-62.15 37-96.48 93.67-96.48 27.14 0 55.52 4.84 55.52 4.84v61h-31.28c-30.8 0-40.41 19.12-40.41 38.73V256h68.78l-11 71.69h-57.78V501C413.31 482.38 504 379.78 504 256z"/></svg>
</a>
<a href="https://github.com/TrentSPalmer" target="_blank" rel="noopener" title="trent on github" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</a>
<a href="/rss" target="_blank" rel="noopener" title="rss" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M400 32H48C21.49 32 0 53.49 0 80v352c0 26.51 21.49 48 48 48h352c26.51 0 48-21.49 48-48V80c0-26.51-21.49-48-48-48zM112 416c-26.51 0-48-21.49-48-48s21.49-48 48-48 48 21.49 48 48-21.49 48-48 48zm157.533 0h-34.335c-6.011 0-11.051-4.636-11.442-10.634-5.214-80.05-69.243-143.92-149.123-149.123-5.997-.39-10.633-5.431-10.633-11.441v-34.335c0-6.535 5.468-11.777 11.994-11.425 110.546 5.974 198.997 94.536 204.964 204.964.352 6.526-4.89 11.994-11.425 11.994zm103.027 0h-34.334c-6.161 0-11.175-4.882-11.427-11.038-5.598-136.535-115.204-246.161-251.76-251.76C68.882 152.949 64 147.935 64 141.774V107.44c0-6.454 5.338-11.664 11.787-11.432 167.83 6.025 302.21 141.191 308.205 308.205.232 6.449-4.978 11.787-11.432 11.787z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../../assets/javascripts/workers/search.409db549.min.js", "version": null}</script>
<script src="../../assets/javascripts/bundle.756773cc.min.js"></script>
</body>
</html>
Reference in New Issue Copy Permalink