search

debops / ansible-ifupdown

Manage network interface configuration in /etc/network/interfaces
GNU General Public License v3.0
25 stars 14 forks source link

example of NAT from 443 to 8443 #73

Closed niccolox closed 6 years ago

niccolox commented 6 years ago

hi

I am using debops on bionic and am stuck on something super simple

how do I make a port forward from 443 to 8443?

I am running Phoenix/Elixir/Erlang on port 8443 and want a debops config/inventory/play for a simple port forward

I have tried obvious and simple, but am lost

drybjed commented 6 years ago

Hi. Port forwarding is done by the iptables firewall, in DebOps it's managed by the debops.ferm Ansible roles. You can read some examples here.

niccolox commented 6 years ago

these are my inventory ferm

  - name: 'dmz_rules'
    rules:
      - type: 'dmz'
        name: 'cowboy'
        public_ip: [ '149.228.93.14' ]
        private_ip: [ '149.228.93.14' ]
        protocol: 'tcp'
        port: [ '443' ]
        dport: [ '8443' ]
  - name: 'allow_clusters'
    rules:
      - type: 'accept'
        protocol: 'tcp'
        dport: [ '80' ]
      - type: 'accept'
        protocol: 'tcp'
        dport: [ '8080' ]

errors

● ferm.service - ferm firewall configuration
   Loaded: loaded (/lib/systemd/system/ferm.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2018-07-25 23:25:46 UTC; 4s ago
  Process: 4220 ExecStop=/etc/init.d/ferm stop (code=exited, status=25)
  Process: 5940 ExecStart=/etc/init.d/ferm start (code=exited, status=25)
 Main PID: 5940 (code=exited, status=25)

Jul 25 23:25:46 v1 ferm[5940]:                         destination $ PUBLIC_IP DNAT to @cat
Jul 25 23:25:46 v1 ferm[5940]:                         (
Jul 25 23:25:46 v1 ferm[5940]:                             $ PRIVATE_IP , ":8443"
Jul 25 23:25:46 v1 ferm[5940]:                         )
Jul 25 23:25:46 v1 ferm[5940]:                         <--
Jul 25 23:25:46 v1 ferm[5940]: String expected
Jul 25 23:25:46 v1 ferm[5940]:    ...fail!

is it this bug?

https://github.com/debops/ansible-ferm/issues/55

drybjed commented 6 years ago

Thanks for the example. I managed to pinpoint the cause - the @ipfilter() ferm function only returns lists and not strings, that broke the subsequent @cat() function. To fix that, the IPv4/IPv6 parsing is done on Ansible level and only the first IP address is used to generate the ferm rule. This should be fixed in the debops/debops monorepo after the PR is merged.